Linux Kernel AWS Vulnerabilities Fixed in Ubuntu 16.04
Several security vulnerabilities in the Linux kernel for Amazon Web Services (AWS) systems in Ubuntu 16.04 have been addressed by the Ubuntu security team. These fixes are crucial for maintaining system integrity and protecting against potential exploits. Let’s delve into the specific vulnerabilities and the measures taken to resolve them.
Overview of Linux Kernel AWS Vulnerabilities
A race condition was identified in the Linux kernel’s Broadcom FullMAC WLAN driver during the device unplugging process (hotplug). This vulnerability, known as a use-after-free, could be exploited by attackers to cause a denial of service. The issue has been fixed to prevent such race conditions, enhancing the stability and security of the WLAN driver.
The JFS file system had an out-of-bounds read issue in the dtSearch function. While searching for the current page in the sorted entry table, an out-of-bound access was occurring. This has been fixed by adding a bound check and setting the return code to -EIO, preventing potential crashes and data corruption.
In the Tomoyo security module, a use-after-free (UAF) write bug was identified in tomoyo_write_control(). The bug occurred when head->write_buf was updated during a write() operation of long lines. By ensuring head->write_buf is fetched after head->io_sem is held, the vulnerability has been mitigated, preventing concurrent write() requests from causing UAF and double-free issues.
A use-after-free and null-pointer dereference vulnerability was found in the IPv6 segment routing (SR) functionality. The pernet operations structure for the subsystem must be registered before registering the generic netlink family. This fix ensures proper registration order, enhancing the robustness of the IPv6 subsystem.
Additional Security Updates
Besides the above Linux kernel vulnerabilities mentioned, several other subsystems received security updates. These include:
- Block layer subsystem
- Userspace I/O drivers
- Ceph distributed file system
- Ext4 file system
- NILFS2 file system
- Bluetooth subsystem
- Networking core
- IPv4 networking
- Logical Link layer
- MAC80211 subsystem
- Netlink
- NFC subsystem
These updates address multiple CVEs, including CVE-2023-52524, CVE-2023-52530, CVE-2023-52601, and many more, ensuring comprehensive security enhancements across various components of the Linux kernel.
Staying Secure on Ubuntu 16.04
Despite these fixes, it’s essential to note that Ubuntu 16.04 has reached its end of life. Security updates are only available through an Ubuntu Pro subscription, which can be costly. However, for those seeking a more affordable solution, TuxCare’s Extended Lifecycle for Ubuntu 16.04 offers continued security updates with automated vulnerability patches for five years after the EOL date.
Upgrading to a newer LTS version might be ideal in the long run, but for enterprise environments with complex setups, ELS can be a potentially more affordable option due to the cost and time involved in extensive migration planning and testing.
Conclusion
By addressing these Linux kernel AWS vulnerabilities, you can ensure that AWS-HWE systems running Ubuntu 16.04 remain protected against potential exploits. For enterprises and users on older versions, ELS provides a viable path to continued security without immediate upgrades. TuxCare also offers KernelCare Enterprise, a live patching solution, which allows you apply critical kernel updates without having to reboot the system.
The KernelCare team is working to release live patches for the above vulnerabilities. You can track the release status for different operating systems using the TuxCare CVE tracker.
Source: USN-6777-4