Are my systems vulnerable from CVE-2016-5696?

I have a request from my network security colleague to investigate the threat of this CVE for our environment and I'm having a hard time figuring it out. When I look on the CVE tracker for that CVE: https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5696.html

It lists the package versions as well as the release versions. Which confuses me. Like it seems to imply that you can run the Trusty source on the Precise OS?

But that's besides the point. Our environment is predominantly Precise servers with a handful of Trusty servers and I need to know if this vulnerability applies to me. Is there a command I can run to determine if I'm using one of these packages that is listed. The package names actually specified in the tracker like "linux-lts-trusty" are not apt-get packages so "apt-cache show" doesn't help.


Solution 1:

First of all, the package that it refers to linux-lts-trusty refers to the kernels images. They are named differently in the repositories. If you do apt-cache search linux-.* | grep 'trusty' you will find packages like linux-image-virtual-lts-trusty or linux-image-virtual-lts-wily. In addition , if you open the launchpad link, git.kernel.org link and others from the CVE report you have there all point that this is Linux kernel vulnerability.

So, for linux-lts-trusty, for which Launchpad latest version at the time of me writing this is 3.13.0-93.140-precise1 lists that only for Ubuntu 12.04 fix is needed, for other versions bug DNE(does not exist):

enter image description here

For linux-lts-wily , which is version 4.2.0-42.49-14.04.1 , only trusty (14.04 ) is at risk. enter image description here

So it really depends on the kernel version you are running. Of course, the best approach would be that your server is upgraded to the latest version, 16.04 LTS , and have newer kernel versions. You didn't provide us with your kernel version so we don't know if you are at risk for this or not.

It lists the package versions as well as the release versions. Which confuses me. Like it seems to imply that you can run the Trusty source on the Precise OS?

Technically you can run older kernel on newer OS version and vice versa, so yes, that is correct.

NOTES:

  • Wily Werewolf (15.10) has already reached End of Life and no longer supported. If you are running this version, I strongly suggest you upgrade.

  • linux-lts-saucy kernel version appears that it doesn't have that vulnerability . That's version 3.11.0-26.45-precise1 . I would suggest any 3.11.x version, but this is still not ideal ; newer versions are preferable.

  • Tracking linux in the tracker for this CVE for a given release will track the base kernel shipped in that release. Tracking linux-lts-* in the tracker for this CVE will track an HWE kernel, available only in LTS editions which get HWE updates. Until all of them are "released" or "fixed", for all Source packages and all relevant distributions on the Tracker, you are not going to be able to 'avoid' the CVE.

Solution 2:

Please note that https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5696.html does not make it clear which kernel Xenial (16.04LTS) uses. According to xenial-updates this is currently 4.4.0.34.36 which is vulnerable for CVE-2016-5696.

https://people.canonical.com/~ubuntu-security/cve/pkg/linux.html shows this as well.

Solution 3:

As of today (16 August 2016) ALL current versions of Ubuntu apart from Ubuntu Touch 15.04 are vulnerable: enter image description here

The relevant info from Ubuntu is here, they plan on releasing patched kernels by 27 August: https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5696.html

As explained in my comment to Serg's answer above, the important package to look at is 'linux', which is the source package for the kernels in each release. The other packages are mostly LTS Enablement kernels or other specialised kernels, all of which are specific to particular versions.

For example linux-lts-quantal is listed as 'DNE' for all versions except 12.04 (which is anyway end-of-life). However this doesn't mean that those versions are not affected by the issue, the 'DNE' is there because the package linux-lts-quantal was only ever specific to 12.04 and doesn't apply to any other version.