Ubuntu peppered with holes

Almost 40 vulnerabilities, which allow remote and local exploits, have been discovered in the Linux Ubuntu 10.04 Long Term Support (LTS) kernel.

Almost 40 vulnerabilities, which allow remote and local exploits, have been discovered in the Linux Ubuntu 10.04 Long Term Support (LTS) kernel.

Ubuntu Lucid Lynx

(Close Lynx image by Tambako the Jaguar,
CC BY-ND 2.0)

The holes also apply to corresponding versions of Kubuntu, Edubuntu and Xubuntu.

The vulnerabilities include an issue with the way the Common Internet File System validates Internet Control Message Protocol (ICMP) response packets, which allows an attacker to send denial-of-service crafted packets, and a hole in the Network File System v4 (NFSv4), which bungles certain write requests allowing malicious users to craft traffic to gain root privileges.

"If you block ICMP you will get UDP (User Datagram Protocol) trouble because it does not have reliability built into it. You will get ICMP messages back," Securus Global researcher Declan Ingram said. "Being able to cause a kernel panic with an ICMP unreachable message is bad."

Nine vulnerabilities allow attackers to gain root privilege and 14 lead to denial of service.

The multiple vulnerabilities that require local access are still a serious risk for users on shared service, according to Ingram.

"If you are on a shared host, using the local [kernel vulnerabilities], you can pop to root and own everyone around you. Just because it's local does not mean you won't get owned."

Stratsec head of delivery Nick Ellsmore flagged the NFSv4 vulnerability as the most serious hole, since it leads to remote code execution.

The vulnerabilities can be fixed by upgrading Ubuntu packages, but customers will still be at risk for hosting providers that consider the fix too onerous, Ingram said.

Upgrade packages include Ubuntu 10.04 LTS:

  • linux-image-2.6.35-25-generic 2.6.35-25.44~lucid1
  • linux-image-2.6.35-25-generic-pae 2.6.35-25.44~lucid1
  • linux-image-2.6.35-25-server 2.6.35-25.44~lucid1
  • linux-image-2.6.35-25-virtual 2.6.35-25.44~lucid1