The nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel 2.6.29.3 and earlier, when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver.
http://article.gmane.org/gmane.linux.nfs/26592
http://bugzilla.linux-nfs.org/show_bug.cgi?id=131
http://linux-nfs.org/pipermail/nfsv4/2006-November/005313.html
http://linux-nfs.org/pipermail/nfsv4/2006-November/005323.html
http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00004.html
http://secunia.com/advisories/35106
http://secunia.com/advisories/35298
http://secunia.com/advisories/35394
http://secunia.com/advisories/35656
http://secunia.com/advisories/35847
http://secunia.com/advisories/36051
http://secunia.com/advisories/36327
http://secunia.com/advisories/37471
http://wiki.rpath.com/Advisories:rPSA-2009-0111
http://www.debian.org/security/2009/dsa-1809
http://www.debian.org/security/2009/dsa-1844
http://www.debian.org/security/2009/dsa-1865
http://www.mandriva.com/security/advisories?name=MDVSA-2009:135
http://www.mandriva.com/security/advisories?name=MDVSA-2009:148
http://www.openwall.com/lists/oss-security/2009/05/13/2
http://www.redhat.com/support/errata/RHSA-2009-1157.html
http://www.securityfocus.com/archive/1/505254/100/0/threaded
http://www.securityfocus.com/archive/1/507985/100/0/threaded
http://www.securityfocus.com/bid/34934
http://www.ubuntu.com/usn/usn-793-1
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
http://www.vupen.com/english/advisories/2009/1331
http://www.vupen.com/english/advisories/2009/3316
https://bugzilla.redhat.com/show_bug.cgi?id=500297
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8543
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9990
OR
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions up to 2.6.29.3 (inclusive)
OR
OR
OR
cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:*:*:*:*
OR
cpe:2.3:o:vmware:esx:2.5.5:*:*:*:*:*:*:*
cpe:2.3:o:vmware:esx:3.0.3:*:*:*:*:*:*:*
ID | Name | Product | Family | Severity |
---|---|---|---|---|
89117 | VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0016) (remote check) | Nessus | Misc. | critical |
79460 | OracleVM 2.1 : kernel (OVMSA-2009-0014) | Nessus | OracleVM Local Security Checks | high |
67884 | Oracle Linux 4 : kernel (ELSA-2009-1132) | Nessus | Oracle Linux Local Security Checks | high |
67874 | Oracle Linux 5 : kernel (ELSA-2009-1106) | Nessus | Oracle Linux Local Security Checks | high |
60609 | Scientific Linux Security Update : kernel on SL4.x i386/x86_64 | Nessus | Scientific Linux Local Security Checks | high |
60599 | Scientific Linux Security Update : kernel on SL5.x i386/x86_64 | Nessus | Scientific Linux Local Security Checks | high |
59138 | SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 6437) | Nessus | SuSE Local Security Checks | high |
51607 | SuSE 11 Security Update : Linux kernel (SAT Patch Numbers 1079 / 1087) | Nessus | SuSE Local Security Checks | high |
48149 | Mandriva Linux Security Advisory : kernel (MDVSA-2009:148) | Nessus | Mandriva Local Security Checks | high |
44730 | Debian DSA-1865-1 : linux-2.6 - denial of service/privilege escalation | Nessus | Debian Local Security Checks | high |
44709 | Debian DSA-1844-1 : linux-2.6.24 - denial of service/privilege escalation | Nessus | Debian Local Security Checks | high |
43757 | CentOS 5 : kernel (CESA-2009:1106) | Nessus | CentOS Local Security Checks | high |
42870 | VMSA-2009-0016 : VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components. | Nessus | VMware ESX Local Security Checks | critical |
42009 | openSUSE 10 Security Update : kernel (kernel-6440) | Nessus | SuSE Local Security Checks | high |
41540 | SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 6439) | Nessus | SuSE Local Security Checks | high |
41413 | SuSE 11 Security Update : Linux kernel (SAT Patch Number 1086) | Nessus | SuSE Local Security Checks | high |
41412 | SuSE 11 Security Update : Linux kernel (SAT Patch Number 1086) | Nessus | SuSE Local Security Checks | high |
40360 | openSUSE Security Update : kernel (kernel-1097) | Nessus | SuSE Local Security Checks | high |
40012 | openSUSE Security Update : kernel (kernel-951) | Nessus | SuSE Local Security Checks | critical |
39586 | Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : linux, linux-source-2.6.15 vulnerabilities (USN-793-1) | Nessus | Ubuntu Local Security Checks | high |
39583 | RHEL 4 : kernel (RHSA-2009:1132) | Nessus | Red Hat Local Security Checks | high |
39444 | Mandriva Linux Security Advisory : kernel (MDVSA-2009:135) | Nessus | Mandriva Local Security Checks | high |
39430 | RHEL 5 : kernel (RHSA-2009:1106) | Nessus | Red Hat Local Security Checks | high |
38990 | Debian DSA-1809-1 : linux-2.6 - denial of service, privilege escalation | Nessus | Debian Local Security Checks | high |
801470 | CentOS RHSA-2009-1106 Security Check | Log Correlation Engine | Generic | high |