CVE-2020-27067

Published: 15 December 2020

In the l2tp subsystem, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-152409173

Notes

Author	Note
sbeattie	see salsa link for 4.9 stable commits.

Priority

Cvss 3 Severity Score

6.4

Score breakdown

Status

Package	Release	Status
linux Launchpad, Ubuntu, Debian	bionic	Not vulnerable (4.15.0-10.11)
	focal	Not vulnerable (5.4.0-9.12)
	groovy	Not vulnerable (5.4.0-26.30)
	trusty	Ignored (was needs-triage ESM criteria)
	upstream	Released (4.15~rc1)
	xenial	Released (4.4.0-186.216)
	Patches: Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by 41c43fbee68f4f9a2a9675d83bca91c77862d7f0 Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by 47c3e7783be4e142b861d34b5c2e223330b05d8a Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by a725eb15db80643a160310ed6bcfd6c5a6c907f2 Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by fba40c632c6473fa89660e870a6042c0fe733f8c Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by 113c3075931a334f899008f6c753abe70a3a9323 Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by b784e7ebfce8cfb16c6f95e14e8532d0768ab7ff Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by af87ae465abdc070de0dc35d6c6a9e7a8cd82987 Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by 55a3ce3b9d98f752df9e2cfb1cba7e715522428a Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by 9aaef50c44f132e040dcd7686c8e78a3390037c5 Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by 2f858b928bf5a8174911aaec76b8b72a9ca0533d Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by 57240d007816486131bee88cd474c2a71f0fe224 Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by 9ee369a405c57613d7c83a3967780c3e30c52ecc Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by 54652eb12c1b72e9602d09cb2821d5760939190f Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by bb0a32ce4389e17e47e198d2cddaf141561581ad Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by 8c0e421525c9eb50d68e8f633f703ca31680b746 Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by 4e4b21da3acc68a7ea55f850cacc13706b7480e9 Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by e702c1204eb57788ef189c839c8c779368267d70 Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by f3c66d4e144a0904ea9b95d23ed9f8eb38c11bfb Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by f026bc29a8e093edfbb2a77700454b285c97e8ad Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by 9f775ead5e570e7e19015b9e4e2f3dd6e71a5935 Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by 3953ae7b218df4d1e544b98a393666f9ae58a78c Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by ee28de6bbd78c2e18111a0aef43ea746f28d2073 Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by ee40fb2e1eb5bc0ddd3f2f83c6e39a454ef5a741 Introduced by d9e31d17ceba5f0736f5a34bbc236239cd42b420 Fixed by f98be6c6359e7e4a61aaefb9964c1db31cb9ec0c
linux-aws Launchpad, Ubuntu, Debian	bionic	Not vulnerable (4.15.0-1001.1)
	focal	Not vulnerable (5.4.0-1005.5)
	groovy	Not vulnerable (5.4.0-1009.9)
	trusty	Ignored (was needs-triage ESM criteria)
	upstream	Released (4.15~rc1)
	xenial	Released (4.4.0-1111.123)
linux-aws-5.0 Launchpad, Ubuntu, Debian	bionic	Ignored (superseded by linux-aws-5.3)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-aws-5.3 Launchpad, Ubuntu, Debian	bionic	Ignored (superseded by linux-aws-5.4)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-aws-5.4 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (5.4.0-1018.18~18.04.1)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-aws-hwe Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Not vulnerable (4.15.0-1030.31~16.04.1)
linux-azure Launchpad, Ubuntu, Debian	bionic	Ignored (superseded by linux-azure-5.3)
	focal	Not vulnerable (5.4.0-1006.6)
	groovy	Not vulnerable (5.4.0-1010.10)
	trusty	Ignored (was needs-triage ESM criteria)
	upstream	Released (4.15~rc1)
	xenial	Released (4.15.0-1013.13~16.04.2)
linux-azure-4.15 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (4.15.0-1082.92)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-azure-5.3 Launchpad, Ubuntu, Debian	bionic	Ignored (superseded by linux-azure-5.4)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-azure-5.4 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (5.4.0-1020.20~18.04.1)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-azure-edge Launchpad, Ubuntu, Debian	bionic	Ignored (superseded by linux-azure-5.3)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-gcp Launchpad, Ubuntu, Debian	bionic	Ignored (superseded by linux-gcp-5.3)
	focal	Not vulnerable (5.4.0-1005.5)
	groovy	Not vulnerable (5.4.0-1009.9)
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Released (4.15.0-1014.14~16.04.1)
linux-gcp-4.15 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (4.15.0-1071.81)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-gcp-5.3 Launchpad, Ubuntu, Debian	bionic	Ignored (superseded by linux-gcp-5.4)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-gcp-5.4 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (5.4.0-1019.19~18.04.2)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-gcp-edge Launchpad, Ubuntu, Debian	bionic	Ignored (superseded by linux-gcp-5.3)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-gke-4.15 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (4.15.0-1030.32)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-gke-5.0 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (5.0.0-1011.11~18.04.1)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-gke-5.3 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (5.3.0-1011.12~18.04.1)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-gke-5.4 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (5.4.0-1025.25~18.04.1)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-gkeop-5.4 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (5.4.0-1001.1)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-hwe Launchpad, Ubuntu, Debian	bionic	Ignored (replaced by linux-hwe-5.4)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Released (4.15.0-24.26~16.04.1)
linux-hwe-5.4 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (5.4.0-37.41~18.04.1)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-hwe-5.8 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Not vulnerable (5.8.0-23.24~20.04.1)
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-hwe-edge Launchpad, Ubuntu, Debian	bionic	Ignored (superseded by linux-hwe-5.4)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Ignored (superseded by linux-hwe)
linux-kvm Launchpad, Ubuntu, Debian	bionic	Not vulnerable (4.15.0-1002.2)
	focal	Not vulnerable (5.4.0-1004.4)
	groovy	Not vulnerable (5.4.0-1009.9)
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Released (4.4.0-1077.84)
linux-lts-trusty Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-lts-xenial Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	groovy	Does not exist
	trusty	Ignored (was needs-triage ESM criteria)
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-oem Launchpad, Ubuntu, Debian	bionic	Ignored (end of life, was needs-triage)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Ignored (end of standard support)
linux-oem-5.6 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Not vulnerable (5.6.0-1007.7)
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-oem-osp1 Launchpad, Ubuntu, Debian	bionic	Ignored (end of standard support, was needs-triage)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-oracle Launchpad, Ubuntu, Debian	bionic	Not vulnerable (4.15.0-1007.9)
	focal	Not vulnerable (5.4.0-1005.5)
	groovy	Not vulnerable (5.4.0-1009.9)
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Not vulnerable (4.15.0-1007.9~16.04.1)
linux-oracle-5.0 Launchpad, Ubuntu, Debian	bionic	Ignored (superseded by linux-oracle-5.3)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-oracle-5.3 Launchpad, Ubuntu, Debian	bionic	Ignored (superseded by linux-oracle-5.4)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-oracle-5.4 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (5.4.0-1019.19~18.04.1)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-raspi Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Not vulnerable (5.4.0-1007.7)
	groovy	Not vulnerable (5.4.0-1008.8)
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-raspi-5.4 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (5.4.0-1013.13~18.04.1)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-raspi2 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (4.15.0-1006.7)
	focal	Ignored (replaced by linux-raspi)
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Released (4.4.0-1136.145)
linux-raspi2-5.3 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (5.3.0-1017.19~18.04.1)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-riscv Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Ignored (end of life, was needs-triage)
	groovy	Not vulnerable (5.4.0-24.28)
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Does not exist
linux-snapdragon Launchpad, Ubuntu, Debian	bionic	Released (4.15.0-1053.57)
	focal	Does not exist
	groovy	Does not exist
	trusty	Does not exist
	upstream	Released (4.15~rc1)
	xenial	Released (4.4.0-1140.148)

Severity score breakdown

Parameter	Value
Base score	6.4
Attack vector	Local
Attack complexity	High
Privileges required	High
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›