Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.0565 USN-5278-1: Linux kernel (OEM) vulnerabilities 9 February 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Linux kernel (OEM) Publisher: Ubuntu Operating System: Ubuntu Resolution: Patch/Upgrade CVE Names: CVE-2022-24122 CVE-2022-23222 CVE-2022-22942 CVE-2022-0382 CVE-2022-0330 CVE-2022-0264 CVE-2021-45480 CVE-2021-45095 CVE-2021-44733 CVE-2021-43975 CVE-2021-39685 CVE-2021-28715 CVE-2021-28714 CVE-2021-28713 CVE-2021-22600 CVE-2021-4197 CVE-2021-4155 CVE-2021-4135 CVE-2021-4083 CVE-2021-4001 CVE-2020-27820 Reference: ASB-2021.0239 ASB-2021.0232 ESB-2022.0486 ESB-2022.0485 Original Bulletin: https://ubuntu.com/security/notices/USN-5278-1 Comment: CVSS (Max): 8.4* CVE-2021-22600 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: SUSE * Not all CVSS available when published - --------------------------BEGIN INCLUDED TEXT-------------------- USN-5278-1: Linux kernel (OEM) vulnerabilities 09 February 2022 Several security issues were fixed in the Linux kernel. Releases o Ubuntu 20.04 LTS Packages o linux-oem-5.14 - Linux kernel for OEM systems Details It was discovered that the rlimit tracking for user namespaces in the Linux kernel did not properly perform reference counting, leading to a use-after- free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. ( CVE-2022-24122 ) It was discovered that the BPF verifier in the Linux kernel did not properly restrict pointer types in certain situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. ( CVE-2022-23222 ) Jeremy Cline discovered a use-after-free in the nouveau graphics driver of the Linux kernel during device removal. A privileged or physically proximate attacker could use this to cause a denial of service (system crash). ( CVE-2020-27820 ) It was discovered that the Packet network protocol implementation in the Linux kernel contained a double-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. ( CVE-2021-22600 ) Jurgen Gross discovered that the Xen subsystem within the Linux kernel did not adequately limit the number of events driver domains (unprivileged PV backends) could send to other guest VMs. An attacker in a driver domain could use this to cause a denial of service in other guest VMs. ( CVE-2021-28713 ) Jurgen Gross discovered that the Xen network backend driver in the Linux kernel did not adequately limit the amount of queued packets when a guest did not process them. An attacker in a guest VM can use this to cause a denial of service (excessive kernel memory consumption) in the network backend domain. ( CVE-2021-28714 , CVE-2021-28715 ) Szymon Heidrich discovered that the USB Gadget subsystem in the Linux kernel did not properly restrict the size of control requests for certain gadget types, leading to possible out of bounds reads or writes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. ( CVE-2021-39685 ) It was discovered that the eBPF implementation in the Linux kernel contained a race condition around read-only maps. A privileged attacker could use this to modify read-only maps. ( CVE-2021-4001 ) Jann Horn discovered a race condition in the Unix domain socket implementation in the Linux kernel that could result in a read-after-free. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. ( CVE-2021-4083 ) It was discovered that the simulated networking device driver for the Linux kernel did not properly initialize memory in certain situations. A local attacker could use this to expose sensitive information (kernel memory). ( CVE-2021-4135 ) Kirill Tkhai discovered that the XFS file system implementation in the Linux kernel did not calculate size correctly when pre-allocating space in some situations. A local attacker could use this to expose sensitive information. ( CVE-2021-4155 ) Eric Biederman discovered that the cgroup process migration implementation in the Linux kernel did not perform permission checks correctly in some situations. A local attacker could possibly use this to gain administrative privileges. ( CVE-2021-4197 ) Brendan Dolan-Gavitt discovered that the aQuantia AQtion Ethernet device driver in the Linux kernel did not properly validate meta-data coming from the device. A local attacker who can control an emulated device can use this to cause a denial of service (system crash) or possibly execute arbitrary code. ( CVE-2021-43975 ) It was discovered that the ARM Trusted Execution Environment (TEE) subsystem in the Linux kernel contained a race condition leading to a use- after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. ( CVE-2021-44733 ) It was discovered that the Phone Network protocol (PhoNet) implementation in the Linux kernel did not properly perform reference counting in some error conditions. A local attacker could possibly use this to cause a denial of service (memory exhaustion). ( CVE-2021-45095 ) It was discovered that the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel did not properly deallocate memory in some error conditions. A local attacker could possibly use this to cause a denial of service (memory exhaustion). ( CVE-2021-45480 ) It was discovered that the BPF subsystem in the Linux kernel did not properly track pointer types on atomic fetch operations in some situations. A local attacker could use this to expose sensitive information (kernel pointer addresses). ( CVE-2022-0264 ) Sushma Venkatesh Reddy discovered that the Intel i915 graphics driver in the Linux kernel did not perform a GPU TLB flush in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. ( CVE-2022-0330 ) It was discovered that the TIPC Protocol implementation in the Linux kernel did not properly initialize memory in some situations. A local attacker could use this to expose sensitive information (kernel memory). ( CVE-2022-0382 ) It was discovered that the VMware Virtual GPU driver in the Linux kernel did not properly handle certain failure conditions, leading to a stale entry in the file descriptor table. A local attacker could use this to expose sensitive information or possibly gain administrative privileges. ( CVE-2022-22942 ) Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 o linux-image-5.14.0-1022-oem - 5.14.0-1022.24 o linux-image-oem-20.04d - 5.14.0.1022.19 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References o CVE-2022-23222 o CVE-2021-22600 o CVE-2021-43975 o CVE-2022-24122 o CVE-2022-0330 o CVE-2021-28713 o CVE-2021-4135 o CVE-2022-0264 o CVE-2021-28715 o CVE-2021-39685 o CVE-2022-0382 o CVE-2021-45480 o CVE-2021-4197 o CVE-2021-4001 o CVE-2021-44733 o CVE-2020-27820 o CVE-2021-4083 o CVE-2021-45095 o CVE-2021-28714 o CVE-2022-22942 o CVE-2021-4155 Related notices o USN-5265-1 : linux-image-unsigned-5.13.0-28-generic-64k, linux-modules-extra-5.11.0-1029-gcp, linux-tools-5.13.0-28-lowlatency, linux-gcp-5.11-headers-5.11.0-1029, linux-oem-20.04c, linux-tools-5.13.0-1016-oracle, linux-generic, linux-image-extra-virtual-hwe-20.04, linux-buildinfo-5.13.0-1016-raspi-nolpae, linux-image-lowlatency-hwe-20.04-edge, linux-image-unsigned-5.13.0-28-lowlatency, linux-headers-aws, linux-tools-5.13.0-1016-raspi, linux-image-lowlatency-hwe-20.04, linux-cloud-tools-virtual, linux-kvm, linux-modules-extra-5.11.0-1028-oracle, linux-modules-extra-5.13.0-1016-oracle, linux-tools-generic-64k-hwe-20.04, linux-modules-extra-5.13.0-1013-gcp, linux-image-generic-hwe-20.04, linux-tools-raspi-nolpae, linux-tools-virtual-hwe-20.04, linux-headers-5.13.0-28, linux-image-oem-20.04c, linux-hwe-5.13-tools-host, linux-modules-5.13.0-28-lowlatency, linux-buildinfo-5.13.0-1029-oem, linux-image-unsigned-5.13.0-1013-gcp, linux-image-unsigned-5.13.0-1029-oem, linux-cloud-tools-azure, linux-aws, linux-image-5.13.0-28-generic-lpae, linux-image-aws, linux-buildinfo-5.13.0-1011-kvm, linux-headers-generic-hwe-20.04, linux-buildinfo-5.11.0-1028-aws, linux-headers-virtual-hwe-20.04, linux-oracle-5.11-headers-5.11.0-1028, linux-headers-generic-64k-hwe-20.04-edge, linux-headers-generic-lpae-hwe-20.04, linux-cloud-tools-5.13.0-28, linux-headers-5.13.0-28-generic, linux-modules-5.11.0-1028-aws, linux-tools-5.13.0-1029-oem, linux-image-aws-edge, linux-kvm-tools-5.13.0-1011, linux, linux-headers-gke, linux-modules-5.11.0-1029-gcp, linux-buildinfo-5.13.0-28-generic-lpae, linux-tools-virtual-hwe-20.04-edge, linux-headers-generic-64k-hwe-20.04, linux-oem-5.13, linux-cloud-tools-lowlatency-hwe-20.04-edge, linux-headers-oracle, linux-modules-extra-aws, linux-tools-lowlatency-hwe-20.04-edge, linux-image-generic, linux-headers-5.11.0-1028-aws, linux-headers-generic-64k, linux-modules-extra-raspi-nolpae, linux-generic-lpae, linux-generic-64k, linux-lowlatency, linux-tools-generic-64k-hwe-20.04-edge, linux-headers-5.13.0-28-generic-64k, linux-image-5.11.0-1028-azure, linux-tools-5.13.0-1011-kvm, linux-tools-raspi, linux-image-raspi, linux-image-unsigned-5.13.0-28-generic, linux-image-unsigned-5.13.0-1012-aws, linux-tools-azure, linux-modules-extra-5.11.0-1028-azure, linux-buildinfo-5.13.0-1016-raspi, linux-headers-lowlatency, linux-lowlatency-hwe-20.04, linux-headers-generic-lpae-hwe-20.04-edge, linux-headers-5.13.0-1029-oem, linux-image-5.13.0-1016-raspi-nolpae, linux-tools-oracle, linux-headers-kvm, linux-kvm-headers-5.13.0-1011, linux-oracle-headers-5.13.0-1016, linux-doc, linux-headers-5.13.0-1016-raspi-nolpae, linux-modules-5.13.0-1012-aws, linux-cloud-tools-generic-hwe-20.04, linux-image-unsigned-5.11.0-1028-oracle, linux-raspi-nolpae, linux-cloud-tools-virtual-hwe-20.04, linux-modules-5.13.0-1016-raspi, linux-aws-5.11-headers-5.11.0-1028, linux-headers-virtual-hwe-20.04-edge, linux-headers-generic-lpae, linux-image-unsigned-5.11.0-1029-gcp, linux-modules-extra-raspi, linux-tools-5.11.0-1029-gcp, linux-cloud-tools-lowlatency, linux-headers-gcp, linux-tools-generic-lpae-hwe-20.04-edge, linux-tools-5.13.0-28-generic-lpae, linux-tools-5.13.0-28-generic-64k, linux-virtual-hwe-20.04, linux-headers-oem-20.04c, linux-image-generic-lpae-hwe-20.04-edge, linux-headers-5.13.0-1016-raspi, linux-aws-headers-5.13.0-1012, linux-hwe-5.13-tools-5.13.0-28, linux-modules-5.13.0-1011-kvm, linux-generic-hwe-20.04-edge, linux-source, linux-image-unsigned-5.13.0-1016-oracle, linux-tools-5.13.0-1016-raspi-nolpae, linux-gcp-5.11, linux-image-extra-virtual-hwe-20.04-edge, linux-modules-extra-azure, linux-raspi-tools-5.13.0-1016, linux-cloud-tools-5.13.0-28-lowlatency, linux-image-generic-64k-hwe-20.04-edge, linux-tools-lowlatency, linux-image-5.13.0-1016-oracle, linux-tools-aws, linux-tools-virtual, linux-cloud-tools-generic, linux-azure-5.11-cloud-tools-5.11.0-1028, linux-cloud-tools-5.13.0-1012-aws, linux-image-5.11.0-1028-oracle, linux-image-generic-hwe-20.04-edge, linux-gcp, linux-headers-5.13.0-1013-gcp, linux-image-5.11.0-1029-gcp, linux-image-5.13.0-1012-aws, linux-aws-edge, linux-headers-5.11.0-1029-gcp, linux-buildinfo-5.11.0-1028-oracle, linux-buildinfo-5.13.0-28-generic, linux-raspi, linux-aws-5.13-cloud-tools-5.13.0-1012, linux-azure-5.11-tools-5.11.0-1028, linux-buildinfo-5.13.0-1016-oracle, linux-cloud-tools-lowlatency-hwe-20.04, linux-gcp-tools-5.13.0-1013, linux-modules-5.11.0-1028-oracle, linux-buildinfo-5.13.0-28-generic-64k, linux-modules-5.13.0-1013-gcp, linux-modules-extra-5.13.0-1016-raspi, linux-image-extra-virtual, linux-generic-hwe-20.04, linux-headers-oem-20.04, linux-aws-5.13-headers-5.13.0-1012, linux-headers-azure, linux-modules-5.13.0-28-generic-64k, linux-image-unsigned-5.11.0-1028-aws, linux-hwe-5.13, linux-tools-5.11.0-1028-aws, linux-headers-5.11.0-1028-azure, linux-modules-extra-5.13.0-28-generic, linux-modules-5.13.0-1016-oracle, linux-modules-extra-aws-edge, linux-oracle-5.11-tools-5.11.0-1028, linux-gcp-headers-5.13.0-1013, linux-virtual, linux-libc-dev, linux-generic-64k-hwe-20.04-edge, linux-hwe-5.13-cloud-tools-common, linux-image-5.13.0-1011-kvm, linux-lowlatency-hwe-20.04-edge, linux-tools-generic-hwe-20.04, linux-headers-generic, linux-cloud-tools-virtual-hwe-20.04-edge, linux-generic-lpae-hwe-20.04-edge, linux-virtual-hwe-20.04-edge, linux-crashdump, linux-image-kvm, linux-tools-generic-hwe-20.04-edge, linux-image-5.13.0-28-lowlatency, linux-modules-5.13.0-28-generic-lpae, linux-image-oracle, linux-headers-raspi-nolpae, linux-hwe-5.13-cloud-tools-5.13.0-28, linux-oracle, linux-tools-5.11.0-1028-azure, linux-cloud-tools-5.11.0-1028-azure, linux-tools-generic, linux-image-5.13.0-28-generic-64k, linux-tools-generic-lpae-hwe-20.04, linux-cloud-tools-5.11.0-1028-aws, linux-tools-kvm, linux-headers-5.13.0-1016-oracle, linux-buildinfo-5.13.0-28-lowlatency, linux-headers-virtual, linux-tools-gke, linux-headers-generic-hwe-20.04-edge, linux-tools-generic-64k, linux-image-virtual-hwe-20.04, linux-modules-extra-gcp, linux-generic-lpae-hwe-20.04, linux-buildinfo-5.11.0-1028-azure, linux-headers-5.11.0-1028-oracle, linux-image-generic-64k, linux-image-unsigned-5.11.0-1028-azure, linux-tools-5.13.0-1013-gcp, linux-tools-5.11.0-1028-oracle, linux-aws-5.11-tools-5.11.0-1028, linux-azure-5.11, linux-headers-5.13.0-1012-aws, linux-oracle-5.11, linux-tools-lowlatency-hwe-20.04, linux-image-5.13.0-1013-gcp, linux-headers-lowlatency-hwe-20.04, linux-image-generic-64k-hwe-20.04, linux-buildinfo-5.13.0-1013-gcp, linux-image-lowlatency, linux-tools-5.13.0-28-generic, linux-tools-oem-20.04, linux-buildinfo-5.11.0-1029-gcp, linux-image-raspi-nolpae, linux-hwe-5.13-headers-5.13.0-28, linux-aws-5.13, linux-aws-tools-5.13.0-1012, linux-buildinfo-5.13.0-1012-aws, linux-headers-5.13.0-1011-kvm, linux-hwe-5.13-source-5.13.0, linux-modules-extra-gke, linux-oem-20.04, linux-image-generic-lpae, linux-image-virtual-hwe-20.04-edge, linux-tools-gcp, linux-cloud-tools-common, linux-source-5.13.0, linux-gcp-5.11-tools-5.11.0-1029, linux-tools-aws-edge, linux-tools-host, linux-image-gcp, linux-tools-oem-20.04c, linux-azure, linux-image-azure, linux-image-5.13.0-28-generic, linux-generic-64k-hwe-20.04, linux-oem-5.13-tools-5.13.0-1029, linux-tools-generic-lpae, linux-image-generic-lpae-hwe-20.04, linux-headers-5.13.0-28-generic-lpae, linux-headers-5.13.0-28-lowlatency, linux-oem-5.13-headers-5.13.0-1029, linux-aws-5.11, linux-cloud-tools-generic-hwe-20.04-edge, linux-azure-5.11-headers-5.11.0-1028, linux-headers-raspi, linux-oracle-tools-5.13.0-1016, linux-raspi-headers-5.13.0-1016, linux-modules-5.13.0-28-generic, linux-aws-5.13-tools-5.13.0-1012, linux-headers-aws-edge, linux-tools-common, linux-image-5.13.0-1029-oem, linux-image-virtual, linux-headers-lowlatency-hwe-20.04-edge, linux-aws-5.11-cloud-tools-5.11.0-1028, linux-modules-5.13.0-1016-raspi-nolpae, linux-aws-cloud-tools-5.13.0-1012, linux-cloud-tools-5.13.0-28-generic, linux-modules-extra-5.11.0-1028-aws, linux-image-5.13.0-1016-raspi, linux-modules-extra-5.13.0-1016-raspi-nolpae, linux-modules-extra-5.13.0-1012-aws, linux-modules-5.13.0-1029-oem, linux-image-gke, linux-tools-5.13.0-28, linux-oem-5.13-tools-host, linux-image-unsigned-5.13.0-1011-kvm, linux-gke, linux-image-oem-20.04, linux-tools-5.13.0-1012-aws, linux-modules-5.11.0-1028-azure, linux-hwe-5.13-tools-common o USN-5266-1 : linux-tools-5.4.0-1061-gke, linux-modules-extra-gke, linux-image-unsigned-5.4.0-1061-gke, linux-gke-5.4-tools-5.4.0-1061, linux-gke-5.4-headers-5.4.0-1061, linux-modules-extra-5.4.0-1061-gke, linux-gke-tools-5.4.0-1061, linux-gke-headers-5.4.0-1061, linux-modules-5.4.0-1061-gke, linux-image-5.4.0-1061-gke, linux-modules-extra-gke-5.4, linux-headers-gke, linux-tools-gke-5.4, linux-headers-5.4.0-1061-gke, linux-image-gke, linux-tools-gke, linux-headers-gke-5.4, linux-image-gke-5.4, linux-gke-5.4, linux-gke, linux-buildinfo-5.4.0-1061-gke o USN-5207-1 : linux-oem-20.04b, linux-image-oem-20.04-edge, linux-image-5.10.0-1053-oem, linux-tools-oem-20.04, linux-headers-oem-20.04, linux-oem-20.04, linux-headers-oem-20.04b, linux-oem-5.10-headers-5.10.0-1053, linux-oem-20.04-edge, linux-tools-5.10.0-1053-oem, linux-buildinfo-5.10.0-1053-oem, linux-oem-5.10-tools-host, linux-headers-oem-20.04-edge, linux-image-oem-20.04b, linux-tools-oem-20.04b, linux-modules-5.10.0-1053-oem, linux-oem-5.10, linux-tools-oem-20.04-edge, linux-image-oem-20.04, linux-oem-5.10-tools-5.10.0-1053, linux-headers-5.10.0-1053-oem, linux-image-unsigned-5.10.0-1053-oem - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIUAwUBYgNDn+NLKJtyKPYoAQgXDg/2Jcv/dfCMdxyONTGAPpB3Zi1pKQGyUrbp hIjs0n3bEuCIf1CidRhBeOXqpCDd3AUsYJSdJxmQ3GL1Ub8TeDWES2g0aLuOje8K 2JvdY0DrfJKjCxihya9ii5yZtDdfGP60Xa6M8rDAZ2uQWiKIcp4xh3xb1SG/Rt5s YIVADnkOzPznmf4DPJTN14x6c641Slaf+dgeYxvi5ckcEstEvRtqHNuFeKdSsDYr GJMe+qeBUHGVOlW1y9mhjHtKfs7vVVdABxZ+w8Cidj0Gloi3iA3OZK3YTDU703Lf CoidlsEhN9ygpBmCTDRAuCKA64TnZ2c/nlq0WQwGLJPQrWgoIveehgW/0omxVovo w2A3cWFfy4iBiHdrfV28bDGUQQFhoBW/K12DSvA7KBQPSCMXqMa81g76wd/kpPAY LMhN1Jt0l4P+cxazfLZ++8a4qPLfxF/HwoBP3fPmuNg38iOOc1/a6woQ1hZnvGMQ VehJvkp35hGdihqB3LayLbIt1tXqlmX608V1sHkbUNAte6MQOcDxiQFvvoRauSaI K1mbM4mA6ywQrZQBlkTq7SX2bVucM2+J0J19girMC8e+ElfBNPy1mfW4Qm82pezw mAM9r9BD5Pz2bohyTyI1SyLmoPQieVjGkzcrWLjcUHVHu+N4zgbu0pIZR1Z6ZGex DTe8EoAlpA== =8J5t -----END PGP SIGNATURE-----