Multiple vulnerabilities affecting Ubuntu 20.04 HWE/AWS

TuxCare’s KernelCare team is preparing a large batch of patches for Ubuntu 20.04 HWE and AWS Hirsute variants, running the ubuntu-focal-hwe-5.11 and ubuntu-focal-aws-5.11 kernels. All the patches refer to CVEs present in Errata USN-5113-1.

There are some high-scoring vulnerabilities in the list, so care should be taken if you plan on delaying patching for any reason, as you could be leaving your systems open to exploits.

Patches will be available for deployment in the next few days. This post will be updated to reflect the actual availability as soon as it happens.

The patches cover the following list of CVEs:

• CVE-2020-3702
• CVE-2021-3732
• CVE-2021-3739
• CVE-2021-3743
• CVE-2021-3753
• CVE-2021-38166
• CVE-2021-40490
• CVE-2021-42008

Let’s take a closer look at each of them.

Starting with CVE-2020-3702, it refers to a race condition that existed in the Atheros Ath9k WiFi driver, included in the kernel. A race condition is a name given to a situation where two or more concurrent threads try to read/change a variable at the “same” time, resulting in inconsistent behaviour. An attacker could exploit this situation, causing the driver and consequently the wireless adapter to malfunction and disclose information. At the time of disclosure, it was found that the flaw primarily affected Snapdragon-based wireless adapters found in a wide range of devices, from wearables to IoT to networking equipment. However, because the flaw existed in the driver, it is possible that other devices using the same driver could be affected.

CVE-2021-3732 refers to a problem with overlays, where improper restrictions could allow unprivileged access to files, potentially exposing sensitive information.

CVE-2021-3739 explains how a process running with CAP_SYS_ADMIN privileges improperly tried to access the value pointed by a NULL pointer, inside the btrfs code present in the kernel, leading to a denial of service. This vulnerability received a “low” rating because running a process with CAP_SYS_ADMIN already requires having some privileges in the system, thus other, more effective, avenues for disruption would already be available to the attacker.

CVE-2021-3743 is a vulnerability in the Qualcomm IPC Router protocol implementation that fails to validate metadata in specific situations. As a result, local attackers could cause a denial of service and crash the system or even access sensitive information.

CVE-2021-3753 affects the virtual terminal (vt) device, used for local access to a system through the console, for example, where a race condition could result in an out-of-bounds read. A properly motivated attacker could escalate the error into an information disclosure situation.

CVE-2021-38166 is a vulnerability in one of the usual CVE hotspots in the kernel, specifically the BPF subsystem. If the name sounds familiar, it’s because it has been mentioned extensively in this blog. This time around, it was discovered that there is an integer overflow, resulting in an out-of-bounds write, in the HashTab implementation. While exploiting this vulnerability is not practical without already having CAP_SYS_ADMIN privileges, it would still be possible to cause a denial of service, crash the system, or turn this into arbitrary code execution. Again, if the attacker already had the CAP_SYS_ADMIN privilege, it would be somewhat redundant to exploit this, as more efficient attack routes would be available. Note that this vulnerability received a 7.8 CVSS 3 score, which is quite relevant. There may be additional non-disclosed information regarding exploit availability or attack vectors that have not been divulged publicly.

CVE-2021-40490 refers to the third race condition vulnerability in this batch of patches, this time in the ext4 codebase, specifically in the “ext4_write_inline_data_end” function. Writing xattrs to an inode (in simpler terms, setting specific attributes) in concurrent threads could result in a denial of service. It is mentioned that a path towards privilege escalation starting with an exploit of this vulnerability is known to exist. Given the prevalence of ext4 as the default filesystem in multiple distributions, this CVE is likely to have far-reaching implications.

And finally, saving the best to last, CVE-2021-42008 refers to a problem in the “decode_data” function present in the “hamradio” networking driver, in which another out-of-bounds write was identified. A process with CAP_NET_ADMIN can abuse this to obtain root access or crash the system, causing a denial of service. While the flaw is present in a somewhat obscure driver – hamradio – it has received an 8.8 CVSS 3 score by a vendor. Usually, this means that it is either trivially triggered remotely or has some other exploit path that has not been publicly divulged, so IT teams should be aware and patch immediately.

From the large list of vulnerabilities covered in this batch and the high score of some, it is strongly recommended to apply the patches as soon as they are available to ensure that security is maintained in systems running the affected distributions.

If you are not yet a KernelCare Enterprise service subscriber or would like to know more about it, you can find the relevant information here.