klibc Vulnerabilities Addressed in Ubuntu
Recently, the Ubuntu security team has patched multiple vulnerabilities in klibc, a set of small utilities crucial for early boot processes. These vulnerabilities, if left unaddressed, could potentially lead to denial of service or arbitrary code execution. In this blog post, we’ll explore the details of these vulnerabilities and understand the importance of keeping systems up to date.
klibc Vulnerabilities Fixed in Ubuntu
The vulnerabilities addressed in the recent Ubuntu security updates include:
CVE-2016-9840 (CVSS v3 Score: 8.8 High), CVE-2016-9841 (CVSS v3 Score: 9.8 Critical)
These vulnerabilities revolve around incorrect handling of pointer arithmetic within zlib. Malicious actors could exploit these flaws to cause klibc to crash or potentially execute arbitrary code.
CVE-2018-25032 (CVSS v3 Score: 7.5 High)
Discovered by Danilo Ramos, this vulnerability involves improper memory handling during certain deflating operations in zlib. Exploiting this vulnerability could also cause klibc to crash or potentially execute arbitrary code.
CVE-2022-37434 (CVSS v3 Score: 9.8 Critical)
Uncovered by Evgeny Legerov, this vulnerability pertains to memory mishandling during specific inflate operations in zlib. Similarly, exploiting this flaw could result in klibc crashing and potential execution of arbitrary code.
Mitigation Efforts
The Ubuntu security team has responded to these threats by releasing security fixes for various Ubuntu versions, including Ubuntu 14.04, Ubuntu 16.04, Ubuntu 18.04, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.10. For Ubuntu users, updating to the latest klibc versions is imperative to mitigate the risks posed by these vulnerabilities. By ensuring that systems are patched and up to date, users can protect their systems against potential threats.
However, it is important to remember Ubuntu 14.04, Ubuntu 16.04, and Ubuntu 18.04 have already reached the end of life. Therefore, security updates are only available with extended security maintenance through a costly Ubuntu Pro subscription. Alternatively, users can utilize an affordable option, TuxCare’s Extended Lifecycle Support, that provides vendor-grade security patches for Ubuntu 16.04 and Ubuntu 18.04 for five additional years after the end of life.
Ask questions to a TuxCare security expert to learn more about securing your end-of-life Ubuntu systems.
Source: USN-6736-1