Operating System:

[Ubuntu]

Published:

29 November 2023

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.7122
               LSN-0099-1: Kernel Live Patch Security Notice
                             29 November 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Linux Kernel
Publisher:         Ubuntu
Operating System:  Ubuntu
Resolution:        Patch/Upgrade
CVE Names:         CVE-2023-42753 CVE-2023-42752 CVE-2023-40283
                   CVE-2023-34319 CVE-2023-31436 CVE-2023-5197
                   CVE-2023-4881 CVE-2023-4623 CVE-2023-4622
                   CVE-2023-4004 CVE-2023-3995 CVE-2023-3777
                   CVE-2023-3776 CVE-2023-3609 CVE-2023-3567
                   CVE-2022-3643  

Original Bulletin: 
   https://ubuntu.com/security/notices/LSN-0099-1

Comment: CVSS (Max):  7.8* CVE-2023-4623 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: Ubuntu
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
         * Not all CVSS available when published

- --------------------------BEGIN INCLUDED TEXT--------------------

LSN-0099-1: Kernel Live Patch Security Notice

28 November 2023

Several security issues were fixed in the kernel.

Releases

  o Ubuntu 22.04 LTS
  o Ubuntu 20.04 LTS
  o Ubuntu 18.04 ESM
  o Ubuntu 16.04 ESM
  o Ubuntu 14.04 ESM

Software Description

  o aws - Linux kernel for Amazon Web Services (AWS) systems - (>= 4.15.0-1054,
    >= 4.15.0-1119, >= 5.4.0-1009, >= 5.4.0-1061, >= 5.15.0-1000, >=
    4.4.0-1098, >= 4.4.0-1129)
  o aws-5.15 - Linux kernel for Amazon Web Services (AWS) systems - (>=
    5.15.0-1000)
  o aws-5.4 - Linux kernel for Amazon Web Services (AWS) systems - (>=
    5.4.0-1069)
  o aws-6.2 - Linux kernel for Amazon Web Services (AWS) systems - (>=
    6.2.0-1007)
  o aws-hwe - Linux kernel for Amazon Web Services (AWS-HWE) systems - (>=
    4.15.0-1126)
  o azure - Linux kernel for Microsoft Azure Cloud systems - (>= 5.4.0-1010, >=
    5.15.0-1000, >= 4.15.0-1063, >= 4.15.0-1078, >= 4.15.0-1114)
  o azure-4.15 - Linux kernel for Microsoft Azure Cloud systems - (>=
    4.15.0-1115)
  o azure-5.4 - Linux kernel for Microsoft Azure cloud systems - (>=
    5.4.0-1069)
  o azure-6.2 - Linux kernel for Microsoft Azure cloud systems - (>=
    6.2.0-1000)
  o gcp - Linux kernel for Google Cloud Platform (GCP) systems - (>=
    5.4.0-1009, >= 5.15.0-1000, >= 4.15.0-1118)
  o gcp-4.15 - Linux kernel for Google Cloud Platform (GCP) systems - (>=
    4.15.0-1121)
  o gcp-5.15 - Linux kernel for Google Cloud Platform (GCP) systems - (>=
    5.15.0-1000)
  o gcp-5.4 - Linux kernel for Google Cloud Platform (GCP) systems - (>=
    5.4.0-1069)
  o gcp-6.2 - Linux kernel for Google Cloud Platform (GCP) systems - (>=
    6.2.0-1000)
  o generic-4.15 - Linux hardware enablement (HWE) kernel - (>= 4.15.0-69, >=
    4.15.0-214, >= 4.15.0-143, >= 4.15.0-143, >= 4.15.0-69)
  o generic-4.4 - Linux kernel - (>= 4.4.0-168, >= 4.4.0-211, >= 4.4.0-168)
  o generic-5.15 - Linux hardware enablement (HWE) kernel - (>= 5.15.0-0)
  o generic-5.4 - Linux kernel - (>= 5.4.0-26, >= 5.4.0-26)
  o gke - Linux kernel for Google Container Engine (GKE) systems - (>=
    5.4.0-1033, >= 5.15.0-1000)
  o gke-5.15 - Linux kernel for Google Container Engine (GKE) systems - (>=
    5.15.0-1000)
  o gkeop - Linux kernel for Google Container Engine (GKE) systems - (>=
    5.4.0-1009)
  o hwe-6.2 - Linux hardware enablement (HWE) kernel - (>= 6.2.0-20)
  o ibm - Linux kernel for IBM cloud systems - (>= 5.4.0-1009, >= 5.15.0-1000)
  o ibm-5.15 - Linux kernel for IBM cloud systems - (>= 5.15.0-1000)
  o ibm-5.4 - Linux kernel for IBM cloud systems - (>= 5.4.0-1009)
  o linux - Linux kernel - (>= 5.15.0-71, >= 5.15.0-24)
  o lowlatency-4.15 - Linux hardware enablement (HWE) kernel - (>= 4.15.0-69, >
    = 4.15.0-214, >= 4.15.0-143, >= 4.15.0-143, >= 4.15.0-69)
  o lowlatency-4.4 - Linux kernel - (>= 4.4.0-168, >= 4.4.0-211, >= 4.4.0-168)
  o lowlatency-5.15 - Linux hardware enablement (HWE) kernel - (>= 5.15.0-0)
  o lowlatency-5.4 - Linux kernel - (>= 5.4.0-26, >= 5.4.0-26)

Details

It was discovered that the Xen netback driver in the Linux kernel did not
properly handle packets structured in certain ways. An attacker in a guest
VM could possibly use this to cause a denial of service (host NIC
availability).( CVE-2022-3643 )

It was discovered that the virtual terminal driver in the Linux kernel
contained a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly expose sensitive
information (kernel memory).( CVE-2023-3567 )

It was discovered that the universal 32bit network packet classifier
implementation in the Linux kernel did not properly perform reference
counting in some situations, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code.( CVE-2023-3609 )

It was discovered that the network packet classifier with
netfilter/firewall marks implementation in the Linux kernel did not
properly handle reference counting, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code.( CVE-2023-3776 )

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did
not properly handle table rules flush in certain circumstances. A local
attacker could possibly use this to cause a denial of service (system
crash) or execute arbitrary code.( CVE-2023-3777 )

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did
not properly handle rule additions to bound chains in certain
circumstances. A local attacker could possibly use this to cause a denial
of service (system crash) or execute arbitrary code.( CVE-2023-3995 )

It was discovered that the netfilter subsystem in the Linux kernel did not
properly handle PIPAPO element removal, leading to a use-after-free
vulnerability. A local attacker could possibly use this to cause a denial
of service (system crash) or execute arbitrary code.( CVE-2023-4004 )

Bing-Jhong Billy Jheng discovered that the Unix domain socket
implementation in the Linux kernel contained a race condition in certain
situations, leading to a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code.( CVE-2023-4622 )

Budimir Markovic discovered that the qdisc implementation in the Linux
kernel did not properly validate inner classes, leading to a use-after-free
vulnerability. A local user could use this to cause a denial of service
(system crash) or possibly execute arbitrary code.( CVE-2023-4623 )

Alex Birnberg discovered that the netfilter subsystem in the Linux kernel
did not properly validate register length, leading to an out-of- bounds
write vulnerability. A local attacker could possibly use this to cause a
denial of service (system crash).( CVE-2023-4881 )

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did
not properly handle removal of rules from chain bindings in certain
circumstances, leading to a use-after-free vulnerability. A local attacker
could possibly use this to cause a denial of service (system crash) or
execute arbitrary code.( CVE-2023-5197 )

Gwangun Jung discovered that the Quick Fair Queueing scheduler
implementation in the Linux kernel contained an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code.( CVE-2023-31436 )

Ross Lagerwall discovered that the Xen netback backend driver in the Linux
kernel did not properly handle certain unusual packets from a
paravirtualized network frontend, leading to a buffer overflow. An attacker
in a guest VM could use this to cause a denial of service (host system
crash) or possibly execute arbitrary code.( CVE-2023-34319 )

It was discovered that the bluetooth subsystem in the Linux kernel did not
properly handle L2CAP socket release, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code.( CVE-2023-40283 )

Kyle Zeng discovered that the networking stack implementation in the Linux
kernel did not properly validate skb object size in certain conditions. An
attacker could use this cause a denial of service (system crash) or
possibly execute arbitrary code.( CVE-2023-42752 )

Kyle Zeng discovered that the netfiler subsystem in the Linux kernel did
not properly calculate array offsets, leading to a out-of-bounds write
vulnerability. A local user could use this to cause a denial of service
(system crash) or possibly execute arbitrary code.( CVE-2023-42753 )

Checking update status

The problem can be corrected in these Livepatch versions:

  Kernel type   22.04 20.04 18.04 16.04 14.04
aws             99.2  99.1  99.1  99.1  -
aws-5.15        -     99.2  -     -     -
aws-5.4         -     -     99.1  -     -
aws-6.2         99.2  -     -     -     -
aws-hwe         -     -     -     99.1  -
azure           99.2  99.1  -     99.1  -
azure-4.15      -     -     99.1  -     -
azure-5.4       -     -     99.1  -     -
azure-6.2       99.2  -     -     -     -
gcp             99.2  99.1  -     99.1  -
gcp-4.15        -     -     99.1  -     -
gcp-5.15        -     99.2  -     -     -
gcp-5.4         -     -     99.1  -     -
gcp-6.2         99.2  -     -     -     -
generic-4.15    -     -     99.1  99.1  -
generic-4.4     -     -     -     99.1  99.1
generic-5.15    -     99.2  -     -     -
generic-5.4     -     99.1  99.1  -     -
gke             99.2  99.1  -     -     -
gke-5.15        -     99.2  -     -     -
gkeop           -     99.1  -     -     -
hwe-6.2         99.2  -     -     -     -
ibm             99.2  99.1  -     -     -
ibm-5.15        -     99.2  -     -     -
ibm-5.4         -     -     99.1  -     -
linux           99.2  -     -     -     -
lowlatency-4.15 -     -     99.1  99.1  -
lowlatency-4.4  -     -     -     99.1  99.1
lowlatency-5.15 -     99.2  -     -     -
lowlatency-5.4  -     99.1  99.1  -     -

To check your kernel type and Livepatch version, enter this command:

canonical-livepatch status

References

  o CVE-2023-42752
  o CVE-2023-3777
  o CVE-2023-3609
  o CVE-2023-4881
  o CVE-2023-42753
  o CVE-2023-4623
  o CVE-2023-3567
  o CVE-2023-3995
  o CVE-2023-40283
  o CVE-2023-5197
  o CVE-2023-3776
  o CVE-2023-4622
  o CVE-2023-4004
  o CVE-2023-34319
  o CVE-2022-3643
  o CVE-2023-31436

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZWaSZckNZI30y1K9AQhGmw//f5PFlW2Y6mU428F2mA/Z3KQNX985UXZ0
1lLijW/STE7AyJG1aXyndFGjjyPBWJinYARcx4j77T1t7hWfoeMeLcmUITvvJHY5
V2wB8tb31fIJZ5Yr6RmguUwrn38/T8gpkBh6sAz/uOq5Y017biLr7zjTBnttOWon
vrXDebHJ7DOMXnGs0ENXShkwdwVof3PkTvdgKvyk/zgPjoTSZsOE4Oj9OYvMAlZg
xP3TV60S02viAhOfdO70uAIlOniWVC50rcmkQjly/nud3XtzWA6gOusVqjV9TahH
Ojd/BDJvTCAzWKCohYtnyXoJG00E78efTrsLFoYrzdxqR/IEelGvhwA4fDuAJixi
oo3VZVZd7ANqc0uDiY9aVYdptp7ETQ2zaRnXxCc1RIiBCmhCz1isWIDWpKpv5xOl
U+Eyfgg/T64jCZxwNFzhklxawKs130PwDkOFs0qOE0+M408d7YIjQ9Gx5q8UZx4y
TcysBZgd4p3QXKLfBVDdxt+lXcFqYYFl61Nni7mZKge+wymXUO3k6wQ9wUusl8oX
w1msq+CqlJdLXBfpcwOUUJHFbmbME7fMPUY7eyIQTc1yWTuzlJPvLRnMkdS/WV1x
DB5IGHYpJBkQTEXa2kCJ1laZjZSr+vqIucQojDPRrq4FN5wtWBqtNLwI/DMwNAhv
m4NAOLqW2V0=
=MkOb
-----END PGP SIGNATURE-----