Debian Kernel Security Updates Patched 26 Vulnerabilities
Multiple vulnerabilities were discovered in the Linux kernel that may lead to denial of service or local privilege escalation. Since the vulnerabilities could cause serious damage, they have been patched in the Debian kernel security updates released on September 9, 2023.
Out of 26 fixed vulnerabilities, 14 have a “high” severity score as per the NVD metrics. In this article, we will discuss some of these vulnerabilities and their impacts on the system.
Vulnerabilities Fixed in Debian Kernel Updates
CVSS 3.x Score: 7.0 High
The btsdio Bluetooth adapter driver in the Linux kernel contained a use-after-free vulnerability. An attacker having permission to insert and remove SDIO devices can use this flaw to cause a denial of service or possibly execute arbitrary code in the kernel.
CVSS 3.x Score: 7.8 High
A use-after-free vulnerability was identified in the Linux kernel’s nefilter subsystem when flushing table rules. A user having the CAP_NET_ADMIN capability in any user or network namespace can use this flaw to achieve local privilege escalation.
CVSS 3.x Score: 7.8 High
The Netfilter’s implementation of PIPAPO (PIle PAcket POlicies) in the Linux kernel was found to have a use-after-free flaw in the nft_pipao_remove function. It can be used by a local user having the CAP_NET_ADMIN capability in any user or network namespace to cause a denial of service (system crash) or potentially escalate their privileges.
CVSS 3.x Score: 7.8 High
A use-after-free flaw was identified in the Linux kernel’s Netfilter during the bound chain deactivation in certain cases. A local user can use this to escalate their privileges on the system.
CVSS 3.x Score: 7.0 High
The Linux kernel’s Unix domain sockets component was found to have a use-after-free vulnerability that could result in local privilege escalation.
CVSS 3.x Score: 7.8 High
The Xen’s netback driver in the Linux kernel had a buffer overrun issue, which could allow a Xen guest to send malformed packets to cause a denial of service to the virtualization host.
CVSS 3.x Score: 7.8 High
The Linux kernel’s Bluetooth socket handling contained a use-after-free flaw because the children of an sk are not handled properly.
CVE-2023-3776, CVE-2023-4128, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208
Multiple use-after-free vulnerabilities were found in the Linux kernel’s cls_fw, cls_u32, and cls_route network classifiers that could be exploited to achieve local privilege escalation or cause denial of service.
All these vulnerabilities have been addressed in Linux version 6.1.52-1 for the stable Bookworm release.
Final Thoughts
Maintaining the overall stability and security of a Debian system depends on maintaining kernel security. The Linux kernel is the fundamental component, and its vulnerabilities can have serious consequences. Therefore, you need to implement an effective patch management strategy to mitigate vulnerabilities and ensure Linux kernel security.
Live patching is the modern technology to patch the kernel without zero reboots or downtimes. TuxCare’s KernelCare Enterprise provides an automated live patching solution for all major Linux distributions, including Debian, RHEL, Ubuntu, AlmaLinux, CentOS, and more. That means it automatically applies all security patches without having to restart the server.
Speak to one of our experts to learn more about KernelCare and its working process.
The source for this article can be found on Debian Security Advisory.