Ubuntu update for Linux kernel

Published: 2019-02-18

Risk	Low
Patch available	YES
Number of vulnerabilities	4
CVE-ID	CVE-2018-14625 CVE-2018-16882 CVE-2018-19407 CVE-2018-19854
CWE-ID	CWE-362 CWE-416 CWE-476 CWE-401
Exploitation vector	Local network
Public exploit	Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available.
Vulnerable software Subscribe	linux-hwe (Ubuntu package) Operating systems & Components / Operating system package or component linux (Ubuntu package) Operating systems & Components / Operating system package or component
Vendor	Canonical Ltd.

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Race condition

EUVDB-ID: #VU16514

Risk: Low

CVSSv3.1: 5 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-14625

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a local attacker to obtain potentially sensitive information.

The weakness exists due to a race condition between connect() and close() function. A local attacker can use the AF_VSOCK protocol to obtain sensitive information possibly intercept or corrupt AF_VSOCK messages destined to other clients.

Mitigation

Update the affected packages.

Ubuntu 18.10: linux-image-4.18.0-15-generic - 4.18.0-15.16; linux-image-4.18.0-15-generic-lpae - 4.18.0-15.16; linux-image-4.18.0-15-lowlatency - 4.18.0-15.16; linux-image-4.18.0-15-snapdragon - 4.18.0-15.16; linux-image-generic - 4.18.0.15.16; linux-image-generic-lpae - 4.18.0.15.16; linux-image-lowlatency - 4.18.0.15.16; linux-image-snapdragon - 4.18.0.15.16
Ubuntu 18.04 LTS: linux-image-4.18.0-15-generic - 4.18.0-15.16~18.04.1; linux-image-4.18.0-15-generic-lpae - 4.18.0-15.16~18.04.1; linux-image-4.18.0-15-lowlatency - 4.18.0-15.16~18.04.1; linux-image-4.18.0-15-snapdragon - 4.18.0-15.16~18.04.1; linux-image-generic-hwe-18.04 - 4.18.0.15.65; linux-image-generic-lpae-hwe-18.04 - 4.18.0.15.65; linux-image-lowlatency-hwe-18.04 - 4.18.0.15.65; linux-image-snapdragon-hwe-18.04 - 4.18.0.15.65

Vulnerable software versions

linux-hwe (Ubuntu package): 4.18.0-12.13~18.04.2 - 4.18.0-14.15~18.04.1

linux (Ubuntu package): 4.18.0-0.0 - 4.18.0-14.15

External links

http://usn.ubuntu.com/3878-3/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Use-after-free error

EUVDB-ID: #VU16617

Risk: Low

CVSSv3.1: 6.6 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-16882

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to cause DoS condition or gain elevated privileges on the target system.

The vulnerability exists due to in nested_get_vmcs12_pages(), in case of an error while processing posted interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' descriptor address which is latter used in pi_test_and_clear_on(). An adjacent attacker can use a malicious container to trigger use-after-free error and crash the host kernel resulting in DoS OR potentially gain privileged access to a system.

Mitigation

Update the affected packages.

Ubuntu 18.10: linux-image-4.18.0-15-generic - 4.18.0-15.16; linux-image-4.18.0-15-generic-lpae - 4.18.0-15.16; linux-image-4.18.0-15-lowlatency - 4.18.0-15.16; linux-image-4.18.0-15-snapdragon - 4.18.0-15.16; linux-image-generic - 4.18.0.15.16; linux-image-generic-lpae - 4.18.0.15.16; linux-image-lowlatency - 4.18.0.15.16; linux-image-snapdragon - 4.18.0.15.16
Ubuntu 18.04 LTS: linux-image-4.18.0-15-generic - 4.18.0-15.16~18.04.1; linux-image-4.18.0-15-generic-lpae - 4.18.0-15.16~18.04.1; linux-image-4.18.0-15-lowlatency - 4.18.0-15.16~18.04.1; linux-image-4.18.0-15-snapdragon - 4.18.0-15.16~18.04.1; linux-image-generic-hwe-18.04 - 4.18.0.15.65; linux-image-generic-lpae-hwe-18.04 - 4.18.0.15.65; linux-image-lowlatency-hwe-18.04 - 4.18.0.15.65; linux-image-snapdragon-hwe-18.04 - 4.18.0.15.65

Vulnerable software versions

linux-hwe (Ubuntu package): 4.18.0-12.13~18.04.2 - 4.18.0-14.15~18.04.1

linux (Ubuntu package): 4.18.0-0.0 - 4.18.0-14.15

External links

http://usn.ubuntu.com/3878-3/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Null pointer dereference

EUVDB-ID: #VU16022

Risk: Low

CVSSv3.1: 5.2 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:C]

CVE-ID: CVE-2018-19407

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in the vcpu_scan_ioapic function, as defined in the arch/x86/kvm/x86.c source code file due to the failure of the I/O Advanced Programmable Interrupt Controller (I/O APIC) to initialize. A local attacker can access the system and execute an application that submits malicious system calls, trigger a NULL pointer dereference, which could result in a DoS condition.

Mitigation

Update the affected packages.

Ubuntu 18.10: linux-image-4.18.0-15-generic - 4.18.0-15.16; linux-image-4.18.0-15-generic-lpae - 4.18.0-15.16; linux-image-4.18.0-15-lowlatency - 4.18.0-15.16; linux-image-4.18.0-15-snapdragon - 4.18.0-15.16; linux-image-generic - 4.18.0.15.16; linux-image-generic-lpae - 4.18.0.15.16; linux-image-lowlatency - 4.18.0.15.16; linux-image-snapdragon - 4.18.0.15.16
Ubuntu 18.04 LTS: linux-image-4.18.0-15-generic - 4.18.0-15.16~18.04.1; linux-image-4.18.0-15-generic-lpae - 4.18.0-15.16~18.04.1; linux-image-4.18.0-15-lowlatency - 4.18.0-15.16~18.04.1; linux-image-4.18.0-15-snapdragon - 4.18.0-15.16~18.04.1; linux-image-generic-hwe-18.04 - 4.18.0.15.65; linux-image-generic-lpae-hwe-18.04 - 4.18.0.15.65; linux-image-lowlatency-hwe-18.04 - 4.18.0.15.65; linux-image-snapdragon-hwe-18.04 - 4.18.0.15.65

Vulnerable software versions

linux-hwe (Ubuntu package): 4.18.0-12.13~18.04.2 - 4.18.0-14.15~18.04.1

linux (Ubuntu package): 4.18.0-0.0 - 4.18.0-14.15

External links

http://usn.ubuntu.com/3878-3/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Memory leak

EUVDB-ID: #VU17257

Risk: Low

CVSSv3.1: 3 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-19854

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local attacker to perform DoS attack on the target system.

The vulnerability exists due to crypto_report_one() and related functions in crypto/crypto_user.c (the crypto user configuration API) do not fully initialize structures that are copied to userspace. A local attacker can trigger memory leak and perform denial of service attack.

Mitigation

Update the affected packages.

Ubuntu 18.10: linux-image-4.18.0-15-generic - 4.18.0-15.16; linux-image-4.18.0-15-generic-lpae - 4.18.0-15.16; linux-image-4.18.0-15-lowlatency - 4.18.0-15.16; linux-image-4.18.0-15-snapdragon - 4.18.0-15.16; linux-image-generic - 4.18.0.15.16; linux-image-generic-lpae - 4.18.0.15.16; linux-image-lowlatency - 4.18.0.15.16; linux-image-snapdragon - 4.18.0.15.16
Ubuntu 18.04 LTS: linux-image-4.18.0-15-generic - 4.18.0-15.16~18.04.1; linux-image-4.18.0-15-generic-lpae - 4.18.0-15.16~18.04.1; linux-image-4.18.0-15-lowlatency - 4.18.0-15.16~18.04.1; linux-image-4.18.0-15-snapdragon - 4.18.0-15.16~18.04.1; linux-image-generic-hwe-18.04 - 4.18.0.15.65; linux-image-generic-lpae-hwe-18.04 - 4.18.0.15.65; linux-image-lowlatency-hwe-18.04 - 4.18.0.15.65; linux-image-snapdragon-hwe-18.04 - 4.18.0.15.65

Vulnerable software versions

linux-hwe (Ubuntu package): 4.18.0-12.13~18.04.2 - 4.18.0-14.15~18.04.1

linux (Ubuntu package): 4.18.0-0.0 - 4.18.0-14.15

External links

http://usn.ubuntu.com/3878-3/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.