[Ksplice][Ubuntu-20.04-Updates] New Ksplice updates for Ubuntu 20.04 Focal (USN-5000-1)

[Oracle Ksplice]

Synopsis: USN-5000-1 can now be patched using Ksplice
CVEs: CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-26139 CVE-2020-26141 CVE-2020-26145 CVE-2020-26147 CVE-2021-23133 CVE-2021-23134 CVE-2021-29155 CVE-2021-31829 CVE-2021-32399 CVE-2021-33034 CVE-2021-33200 CVE-2021-3506 CVE-2021-3609

Systems running Ubuntu 20.04 Focal can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-5000-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 20.04
Focal install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2020-26145: Multiple vulnerabilities in WPA receive side of Atheros 802.11ac cards support.

Improper input validation in the Wi-Fi Protected Access receive side
implementation of Atheros 802.11ac wireless cards support could lead to
accepting plaintext broadcast fragments. A physically proximate attacker
could use this flaw to inject arbitrary network packets.


* CVE-2020-26141: Multiple vulnerabilities in Atheros 802.11ac cards support due to improper MIC validation.

Improper message integrity check of fragmented TKIP frames in Atheros
802.11ac wireless cards support could allow an attacker to inject and
decrypt WPA or WPA2 network packets. A physically proximate attacker
could use this flaw for information disclosure and denial-of-service.


* CVE-2020-26139: Denial-of-service at the receive side of IEEE 802.11 Networking Stack.

A flaw at the receive side of Generic IEEE 802.11 Networking Stack could
lead to a system crash due to incorrect handling of EAPOL frames from
unauthenticated senders. A physically proximate attacker could could use
this flaw to inject malicious packets and cause a denial-of-service.


* CVE-2021-23134: Privilege elevation in NFC subsystem when binding or connecting sockets.

A use-after-free flaw in NFC subsystem could happen when binding or
connecting sockets. A privileged local user with the CAP_NET_RAW
capability could use this flaw to elevate their privileges.


* CVE-2021-32399: Code execution in the Bluetooth subsystem when removing an HCI controller.

A race condition flaw in the Bluetooth subsystem could lead to
a use-after-free of slab objects during HCI controller removal.
An local user could use this flaw to execute arbitrary code.


* CVE-2021-3506: Denial-of-service in F2FS file system due to out-of-bounds memory access.

An out-of-bounds memory access flaw in F2FS file system could lead to
a system crash when retrieving the next Node Address Table page.
A local attacker could use this flaw to cause a denial-of-service.


* CVE-2021-29155: Information disclosure in eBPF due to out of bounds pointer arithmetic.

Out of bounds pointer arithmetic flaw in the eBPF implementation could
allow an attacker to bypass the protection and execute speculatively
out-of-bounds loads from the kernel memory leading to extraction of
the kernel memory contents via a side-channel. A local, special user
privileged (CAP_SYS_ADMIN) BPF program could use this flaw for sensitive
information disclosure.


* CVE-2021-31829: Information disclosure in eBPF via side-channel attacks.

Undesirable speculative loads in the eBPF implementation could lead to
disclosure of stack content via side-channel attacks. A local attacker
could use this flaw for information disclosure.


* CVE-2021-33200: Code execution in eBPF due to improper pointer operation limits enforcement.

A flaw in the eBPF implementation could lead to out-of-bounds reads and
writes due to improper enforcement of limits for pointer operations.
A local attacker could use this flaw to cause a denial of service or
execute arbitrary code.


* Note: Oracle will not provide a zero-downtime update for CVE-2020-24587 and CVE-2020-24586.

CVE-2020-24587 (CVSS v3 score of 2.6) and CVE-2020-24586 (CVSS v3 score of
3.5) might allow an attacker to inject L2 frames in a WiFi network using
WEP, WPA/CCMP or WPA/GCMP or to exfiltrate network data on certain
conditions.  Host machines that are not connected to a WiFi network are not
affected.

Oracle has determined that patching CVE-2020-24587 and CVE-2020-24586 would
not be safe and recommends affected hosts to reboot into the newest Ubuntu
kernel to mitigate the vulnerabilities.


* CVE-2020-26147: Multiple vulnerabilities at the receiving side of 802.11 Networking Stack.

A flaw in WEP, WPA, WPA2, and WPA3 implementations of Generic IEEE
802.11 Networking Stack could lead to a condition when the stack
reassembles fragments even though some of them were sent in plaintext.
A physically proximate attacker could use this flaw to inject packets.


* Improved update to CVE-2021-23133: Multiple vulnerabilities due to a race condition in SCTP.

A flaw in socket functionality of Stream Control Transmission Protocol
could lead to a race condition. A local user with network service
privileges could use this flaw for privilege escalation, information
disclosure or denial-of-service.


* CVE-2021-3609: Privilege escalation in the CAN BCM networking protocol due to use-after-free.

A race condition flaw in the CAN BCM networking protocol could happen
in a situation when registeration and unregistration of a CAN message
receiver run concurently lead to a use-after-free. A local attacker
could use this flaw to execute arbitrary code.


* Note: Oracle has determined that CVE-2021-33034 is not applicable.

Oracle has determined that CVE-2021-33034 is not applicable to x86.
Applying the patch has no resulting changes in the generated object
files.


* CVE-2020-24588: Mishandling of malformed A-MPDU frames in 802.11 Networking Stack.

Mishandling of malformed A-MPDU frames in 802.11 Wireless Networking
Stack could allow an attacker to inject network packets. A physically
proximate attacker could use this flaw to compromise the system
integrity.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.