[Ksplice][Ubuntu-21.04-Updates] New Ksplice updates for Ubuntu 21.04 Hirsute (USN-4977-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Tue Oct 12 02:22:11 PDT 2021 

Synopsis: USN-4977-1 can now be patched using Ksplice
CVEs: CVE-2020-24588 CVE-2020-25670 CVE-2020-25671 CVE-2020-25672 CVE-2020-25673 CVE-2020-26139 CVE-2020-26141 CVE-2020-26145 CVE-2020-26147 CVE-2021-22555 CVE-2021-23133 CVE-2021-23134 CVE-2021-29155 CVE-2021-31440 CVE-2021-31829 CVE-2021-32399 CVE-2021-33033 CVE-2021-33034 CVE-2021-33200 CVE-2021-3489 CVE-2021-3490 CVE-2021-3501 CVE-2021-3506 CVE-2021-3543 CVE-2021-3609

Systems running Ubuntu 21.04 Hirsute can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-4977-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 21.04
Hirsute install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2021-3501: Privilege escalation in the KVM VMX driver.

Use of untrusted user controlled data to index an array could lead to an
out of bounds write access.  A local user with the ability to start guests
VMs on a host with KVM VMX enabled can use this flaw to elevate its
privileges.


* CVE-2021-22555: Privilege escalation in Netfilter due to out-of-bounds memory write.

A heap out-of-bounds write in netfilter could allow an attacker to gain
privileges or cause a denial-of-service.


* CVE-2020-25670: Denial-of-service in socket binds of NFC LLCP protocol.

A reference counting error in sockets binds of the NFC LLCP protocol
implementation could lead to a system crash. A local attacker could use
this to cause a denial of service.


* CVE-2020-25671: Denial-of-service in the NFC LLCP protocol due to a refcount leak.

A flaw in socket connects of the NFC LLCP protocol implementation could
lead to a refcount leak in certain error situations.A local attacker
could use this flaw to cause a denial of service.


* CVE-2020-25672: Denial-of-service in socket connects of the NFC LLCP protocol.

A flaw in socket connects of the NFC LLCP protocol implementation could
lead to a failure to deallocate memory in certain error situations.
A local attacker could use this flaw to cause a denial of service.


* CVE-2020-25673: Denial-of-service in NFC subsystem due to improper error handling.

Improper error handling in LLC socket connects of NFC subsystem could
lead to an infinite loop. A local attacker could use this to cause
a denial of service.


* CVE-2021-33033: Denial-of-service in security key addition for Generic IEEE 802.15.4 Soft Networking Stack.

A flaw in link-layer security key addition for Generic IEEE 802.15.4 Soft
Networking Stack could lead to a system crash. A local attacker could
use this to cause a denial of service.


* CVE-2021-29155: Information disclosure in eBPF due to out of bounds pointer arithmetic.

Out of bounds pointer arithmetic flaw in the eBPF implementation could
allow an attacker to bypass the protection and execute speculatively
out-of-bounds loads from the kernel memory leading to extraction of
the kernel memory contents via a side-channel. A local, special user
privileged (CAP_SYS_ADMIN) BPF program could use this flaw for sensitive
information disclosure.


* CVE-2021-23133: Multiple vulnerabilities due to a race condition in SCTP.

A flaw in socket functionality of Stream Control Transmission Protocol
could lead to a race condition. A local user with network service
privileges could use this flaw for privilege escalation, information
disclosure or denial-of-service.


* Improved fix for CVE-2021-3489: Denial-of-service in BPF due to lacking ring buffer validation.

A malicious BPF program could leverage flaws in the BPF ring buffer
implementation to cause a denial-of-service or potentially execute
arbitrary code.


* Improved fix for CVE-2021-3490: Denial-of-service in BPF verifier for some bitwise operations.

A malicious BPF program could leverage BPF verifier flaws related to some
bitwise operations to cause a denial-of-service or potentially execute
arbitrary code.


* CVE-2020-26145: Multiple vulnerabilities in WPA receive side of Atheros 802.11ac cards support.

Improper input validation in the Wi-Fi Protected Access receive side
implementation of Atheros 802.11ac wireless cards support could lead to
accepting plaintext broadcast fragments. A physically proximate attacker
could use this flaw to inject arbitrary network packets.


* CVE-2021-31440: Privileges escalation in eBPF due to out-of-bounds flaw.

An out-of-bounds condition could happen in Berkeley Packet Filter
due to improper validation of eBPF user-supplied programs. A local
attacker could use this flaw to execute arbitrary code.


* CVE-2021-3543: Use-after-free in the nitro enclaves virtual driver.

The nitro enclaves virtual driver exposes a file descriptor to the user
application before having handled all possible error conditions, which can
lead to a use-after-free on concurrent release of the file descriptor by
userspace.  A local user with the ability to interact with the nitro
enclaves driver could use this flaw to cause a denial-of-service or
potentially escalate its privileges.


* CVE-2021-33034: Use-after-free when tearing down bluetooth HCI channel.

A race condition in the bluetooth Host Controller Interface code could
result in a use-after-free. A malicious device might exploit this to
write data to an arbitrary kernel address, potentially allowing code
execution under control of the device.


* CVE-2021-31829: Information disclosure in eBPF via side-channel attacks.

Undesirable speculative loads in the eBPF implementation could lead to
disclosure of stack content via side-channel attacks. A local attacker
could use this flaw for information disclosure.


* CVE-2020-26139: Remote denial-of-Wifi-service via malicious EAPOL frames.

When acting as an access point, the kernel WiFi driver might forward
EAPOL frames to other devices that have not successfully authenticated.
A malicious device might exploit this to cause a denial-of-service of
the WiFi connection towards legitimately connected clients.


* CVE-2021-33200: Code execution in eBPF due to improper pointer operation limits enforcement.

A flaw in the eBPF implementation could lead to out-of-bounds reads and
writes due to improper enforcement of limits for pointer operations.
A local attacker could use this flaw to cause a denial of service or
execute arbitrary code.


* CVE-2021-32399: Race condition when removing bluetooth HCI controller.

A race condition when removing bluetooth HCI controller could result in
an out-of-bounds write. A malicious unprivileged user might be able to
exploit this to cause a denial-of-service or privilege escalation.


* CVE-2021-23134: Privilege elevation in NFC subsystem when binding or connecting sockets.

A use-after-free flaw in NFC subsystem could happen when binding or
connecting sockets. A privileged local user with the CAP_NET_RAW
capability could use this flaw to elevate their privileges.


* CVE-2020-26147: Information disclosure/packet injection over WEP/WPA WiFi.

The kernel 802.11 WiFi driver erroneously combines encypted and
plaintext fragments, potentially allowing an attacker to intercept or
inject into a legitimate encrypted WiFi connection.


* CVE-2020-26141: Multiple vulnerabilities in Atheros 802.11ac cards support due to improper MIC validation.

Improper message integrity check of fragmented TKIP frames in Atheros
802.11ac wireless cards support could allow an attacker to inject and
decrypt WPA or WPA2 network packets. A physically proximate attacker
could use this flaw for information disclosure and denial-of-service.


* CVE-2021-3506: Denial-of-service in F2FS due to out-of-bounds memory access.

An out-of-bounds memory access flaw in the F2FS file system could lead
to a system crash when retrieving the next Node Address Table page.
A local attacker could use this flaw to cause a denial-of-service.


* CVE-2021-3609: Privilege escalation in the CAN BCM networking protocol due to use-after-free.

A race condition flaw in the CAN BCM networking protocol could happen
in a situation when registration and unregistration of a CAN message
receiver run concurrently lead to a use-after-free. A local attacker
could use this flaw to execute arbitrary code.


* CVE-2020-24588: Mishandling of malformed A-MPDU frames in 802.11 Networking Stack.

Mishandling of malformed A-MPDU frames in 802.11 Wireless Networking
Stack could allow an attacker to inject network packets. A physically
proximate attacker could use this flaw to compromise the system
integrity.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-21.04-updates mailing list