Several Linux Kernel Azure Vulnerabilities Fixed in Ubuntu
Recently, Canonical released security updates to address several vulnerabilities in the Linux kernel for Microsoft Azure Cloud systems in Ubuntu 16.04 ESM and Ubuntu 18.04 ESM. An attacker could possibly use these issues to cause a denial of service, expose sensitive information, or execute arbitrary code.
Linux Kernel (Azure) Vulnerabilities
These are the vulnerabilities that have been patched in the latest Ubuntu security updates for Microsoft Azure Cloud systems:
CVE-2021-33631 (CVSS v3 Severity Score: 7.8 High)
The ext4 file system implementation in the Linux kernel was found to improperly validate data state on write operations. An attacker could exploit this vulnerability by constructing a malicious ext4 file system image. When mounted, this could lead to a system crash, resulting in a denial of service.
CVE-2023-6270 (CVSS v3 Severity Score: 7.0 High)
A race condition in the ATA over Ethernet (AoE) driver in the Linux kernel was discovered, leading to a use-after-free vulnerability. This could be exploited by an attacker to cause a denial of service or potentially execute arbitrary code.
Security researchers identified that the mitigations for the initial Branch History Injection vulnerability (CVE-2022-0001) were insufficient for Intel processors. This vulnerability could allow a local attacker to expose sensitive information.
CVE-2024-23307 (CVSS v3 Severity Score: 7.8 High)
Gui-Dong Han discovered a race condition in the software RAID driver in the Linux kernel, leading to an integer overflow vulnerability. A privileged attacker could exploit this to cause a denial of service.
CVE-2024-24861 (CVSS v3 Severity Score: 6.3 Medium)
Bai Jiaju discovered that the Xceive XC4000 silicon tuner device driver in the Linux kernel contained a race condition, leading to an integer overflow vulnerability. This could potentially allow an attacker to cause a denial of service.
Furthermore, several other issues were also fixed in various subsystems of the Linux kernel which could comprise the system. These include:
- Block layer subsystem
- Hardware random number generator core
- GPU drivers
- AFS file system
- Memory management
- Netfilter
The relevant CVEs for these vulnerabilities are CVE-2024-26642, CVE-2024-26922, CVE-2024-26720, CVE-2024-26736, CVE-2024-26898, CVE-2021-47063, and CVE-2023-52615.
Addressing Linux Kernel Vulnerabilities in EOL Ubuntu
As Ubuntu 16.04 and Ubuntu 18.04 have already reached the end of life (EOL), security updates are only available through Extended Security Maintenance (ESM) via Ubuntu Pro. ESM offers support beyond the standard five years of Ubuntu LTS release. However, it is not the only solution. TuxCare offers an affordable alternative, Extended Lifecycle Support (ELS), allowing you to continue receiving security patches for an additional five years after the EOL date. ELS is available for both Ubuntu 16.04 and Ubuntu 18.04, and provides security updates for Linux kernel, common shared libraries like glibc, OpenSSL, OpenSSH, and various other Linux packages.
TuxCare has already released patches for above-mentioned vulnerabilities for Ubuntu 16.04 ELS and Ubuntu 18.04 ELS. You can track the release status of vulnerabilities in the CVE tracker page.
TuxCare also offers KernelCare Enterprise, a live kernel patching solution, that allows you to apply security updates to a running kernel without having to reboot the system. The KernelCare team is working on deploying live patches for these Linux kernel vulnerabilities for Microsoft Azure Cloud users.
Source: USN-6866-2