Affects Ubuntu 18.04 LTS, 16.04 LTS, and Debian GNU/Linux 9

Aug 7, 2018 17:00 GMT  ·  By

Canonical and Debian Project released new Linux kernel security updates for their supported operating systems to address a critical vulnerability affecting the TCP implementation.

Discovered and reported by security researcher Juha-Matti Tilli, the security flaw (CVE-2018-5390) could allow a remote attacker to cause a denial of service on affected machines by triggering worst-case code paths in Transmission Control Protocol (TCP) stream reassembly that has low rates using malicious packets.

"Juha-Matti Tilli discovered that the TCP implementation in the Linux kernel performed algorithmically expensive operations in some situations when handling incoming packets. A remote attacker could use this to cause a denial of service," reads Canonical's latest security advisory for Linux kernel.

Additionally, the kernel security update released by the Debian Project also patches a security vulnerability (CVE-2018-13405) discovered by Jann Horn in Linux kernel's inode_init_owner function in fs/inode.c, which could allow local attackers to escalate their privileges by crafting files with unintended group ownership.

Users are urged to update their systems immediately

The TCP security flaw affects Ubuntu 18.04 LTS (Bionic Beaver), Ubuntu 16.04 LTS (Xenial Xerus), and Debian GNU/Linux 9 "Stretch" operating system series. Users are urged to update their installations to the new kernel versions as soon as possible. Debian GNU/Linux 9 "Stretch" users will have to update to kernel 4.9.110-3+deb9u1.

On the other hand, Ubuntu 18.04 LTS users must update their 64-bit systems to linux-image 4.15.0.30.32, Ubuntu 16.04.5 LTS users running the HWE (Hardware Enablement) kernel from Ubuntu 18.04 LTS need to update their 32-bit or 64-bit installations to linux-image-hwe-16.04 4.15.0.30.52. Reboot your PCs after installing the new kernel version!

Ubuntu users should check out the security advisories for the new kernel versions released for other supported architectures, including for Amazon Web Services (AWS) systems, Microsoft Azure Cloud systems, Google Cloud Platform (GCP) systems, OEM processors, Raspberry Pi 2 computers, and cloud environments.