CVE-2009-1895

HIGH

Description

The personality subsystem in the Linux kernel before 2.6.31-rc3 has a PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to (1) conduct NULL pointer dereference attacks, (2) bypass the mmap_min_addr protection mechanism, or (3) defeat address space layout randomization (ASLR).

References

http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f9fabcb58a6d26d6efde842d1703ac7cfa9427b6

http://patchwork.kernel.org/patch/32598/

http://secunia.com/advisories/35801

http://secunia.com/advisories/36045

http://secunia.com/advisories/36051

http://secunia.com/advisories/36054

http://secunia.com/advisories/36116

http://secunia.com/advisories/36131

http://secunia.com/advisories/36759

http://secunia.com/advisories/37471

http://wiki.rpath.com/Advisories:rPSA-2009-0111

http://www.debian.org/security/2009/dsa-1844

http://www.debian.org/security/2009/dsa-1845

http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc3

http://www.mandriva.com/security/advisories?name=MDVSA-2011:051

http://www.osvdb.org/55807

http://www.redhat.com/support/errata/RHSA-2009-1193.html

http://www.redhat.com/support/errata/RHSA-2009-1438.html

http://www.securityfocus.com/archive/1/505254/100/0/threaded

http://www.securityfocus.com/archive/1/507985/100/0/threaded

http://www.securityfocus.com/archive/1/512019/100/0/threaded

http://www.securityfocus.com/bid/35647

http://www.ubuntu.com/usn/usn-807-1

http://www.vmware.com/security/advisories/VMSA-2009-0016.html

http://www.vupen.com/english/advisories/2009/1866

http://www.vupen.com/english/advisories/2009/3316

https://bugs.launchpad.net/bugs/cve/2009-1895

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11768

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7826

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9453

https://rhn.redhat.com/errata/RHSA-2009-1540.html

https://rhn.redhat.com/errata/RHSA-2009-1550.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00166.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00223.html

Details

Source: MITRE

Published: 2009-07-16

Updated: 2018-11-08

Type: CWE-16

Risk Information

CVSS v2.0

Base Score: 7.2

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 3.9

Severity: HIGH

Tenable Plugins

View all (32 total)

IDNameProductFamilySeverity
89117VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0016) (remote check)NessusMisc.
critical
79507OracleVM 2.2 : kernel (OVMSA-2013-0039)NessusOracleVM Local Security Checks
critical
79461OracleVM 2.1 : kernel (OVMSA-2009-0017)NessusOracleVM Local Security Checks
high
67955Oracle Linux 3 : kernel (ELSA-2009-1550)NessusOracle Linux Local Security Checks
high
67953Oracle Linux 5 : kernel (ELSA-2009-1548)NessusOracle Linux Local Security Checks
high
67952Oracle Linux 4 : kernel (ELSA-2009-1541)NessusOracle Linux Local Security Checks
high
67925Oracle Linux 4 : kernel (ELSA-2009-1438)NessusOracle Linux Local Security Checks
high
67904Oracle Linux 5 : kernel (ELSA-2009-1193)NessusOracle Linux Local Security Checks
high
67070CentOS 3 : kernel (CESA-2009:1550)NessusCentOS Local Security Checks
high
67068CentOS 5 : kernel (CESA-2009:1548)NessusCentOS Local Security Checks
high
67067CentOS 4 : kernel (CESA-2009:1541)NessusCentOS Local Security Checks
high
63915RHEL 5 : kernel (RHSA-2010:0079)NessusRed Hat Local Security Checks
critical
60688Scientific Linux Security Update : kernel on SL3.x i386/x86_64NessusScientific Linux Local Security Checks
high
60634Scientific Linux Security Update : kernel for SL 5.x on i386/x86_64NessusScientific Linux Local Security Checks
high
47150VMSA-2010-0010 : ESX 3.5 third-party update for Service Console kernelNessusVMware ESX Local Security Checks
high
44710Debian DSA-1845-1 : linux-2.6 - denial of service, privilege escalationNessusDebian Local Security Checks
high
44709Debian DSA-1844-1 : linux-2.6.24 - denial of service/privilege escalationNessusDebian Local Security Checks
high
43790CentOS 4 : kernel (CESA-2009:1438)NessusCentOS Local Security Checks
high
43773CentOS 5 : kernel (CESA-2009:1193)NessusCentOS Local Security Checks
high
42870VMSA-2009-0016 : VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.NessusVMware ESX Local Security Checks
critical
42360RHEL 3 : kernel (RHSA-2009:1550)NessusRed Hat Local Security Checks
high
42358RHEL 5 : kernel (RHSA-2009:1548)NessusRed Hat Local Security Checks
high
42357RHEL 4 : kernel (RHSA-2009:1541)NessusRed Hat Local Security Checks
high
42284Mandriva Linux Security Advisory : kernel (MDVSA-2009:289)NessusMandriva Local Security Checks
high
40998RHEL 4 : kernel (RHSA-2009:1438)NessusRed Hat Local Security Checks
high
40783openSUSE Security Update : kernel (kernel-1211)NessusSuSE Local Security Checks
high
40487RHEL 5 : kernel (RHSA-2009:1193)NessusRed Hat Local Security Checks
high
40482Fedora 10 : kernel-2.6.27.29-170.2.78.fc10 (2009-8264)NessusFedora Local Security Checks
high
40481Fedora 11 : kernel-2.6.29.6-217.2.3.fc11 (2009-8144)NessusFedora Local Security Checks
high
40416Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : linux, linux-source-2.6.15 vulnerabilities (USN-807-1)NessusUbuntu Local Security Checks
high
801476CentOS RHSA-2009-1438 Security CheckLog Correlation EngineGeneric
high
801471CentOS RHSA-2009-1193 Security CheckLog Correlation EngineGeneric
high