CVE-2009-1897

The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in the Linux kernel 2.6.30 and 2.6.30.1, when the -fno-delete-null-pointer-checks gcc option is omitted, allows local users to gain privileges via vectors involving a NULL pointer dereference and an mmap of /dev/net/tun, a different vulnerability than CVE-2009-1894.

CVSS v2.0 6.9 MEDIUM

6.9^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 3.4 / Impact : 10.0

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0241.html
http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0246.html
http://article.gmane.org/gmane.linux.network/124939
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=3c8a9c63d5fd738c261bd0ceece04d9c8357ca13
http://grsecurity.net/~spender/cheddar_bay.tgz	Patch
http://isc.sans.org/diary.html?storyid=6820	Exploit
http://lkml.org/lkml/2009/7/6/19	Exploit
http://secunia.com/advisories/35839	Vendor Advisory
http://www.openwall.com/lists/oss-security/2009/07/17/1
http://www.vupen.com/english/advisories/2009/1925	Patch Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=512284
https://exchange.xforce.ibmcloud.com/vulnerabilities/51803
https://www.redhat.com/en/blog/security-flaws-caused-compiler-optimizations

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel:2.6.30:::::::*
	cpe:2.3:o:linux:linux_kernel:2.6.30:rc1::::::
	cpe:2.3:o:linux:linux_kernel:2.6.30:rc2::::::
	cpe:2.3:o:linux:linux_kernel:2.6.30:rc3::::::
	cpe:2.3:o:linux:linux_kernel:2.6.30:rc4:x86_32:::::*
	cpe:2.3:o:linux:linux_kernel:2.6.30:rc5::::::
	cpe:2.3:o:linux:linux_kernel:2.6.30:rc6::::::
	cpe:2.3:o:linux:linux_kernel:2.6.30:rc7-git6::::::
	cpe:2.3:o:linux:linux_kernel:2.6.30.1:::::::*

History

No history.

Information

Published : 2009-07-20 17:30

Updated : 2024-02-04 17:33

NVD link : CVE-2009-1897

Mitre link : CVE-2009-1897

CVE.ORG link : CVE-2009-1897

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

{"id": "CVE-2009-1897", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2009-07-20T17:30:54.733", "references": [{"url": "http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0241.html", "source": "secalert@redhat.com"}, {"url": "http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0246.html", "source": "secalert@redhat.com"}, {"url": "http://article.gmane.org/gmane.linux.network/124939", "source": "secalert@redhat.com"}, {"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=3c8a9c63d5fd738c261bd0ceece04d9c8357ca13", "source": "secalert@redhat.com"}, {"url": "http://grsecurity.net/~spender/cheddar_bay.tgz", "tags": ["Patch"], "source": "secalert@redhat.com"}, {"url": "http://isc.sans.org/diary.html?storyid=6820", "tags": ["Exploit"], "source": "secalert@redhat.com"}, {"url": "http://lkml.org/lkml/2009/7/6/19", "tags": ["Exploit"], "source": "secalert@redhat.com"}, {"url": "http://secunia.com/advisories/35839", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "http://www.openwall.com/lists/oss-security/2009/07/17/1", "source": "secalert@redhat.com"}, {"url": "http://www.vupen.com/english/advisories/2009/1925", "tags": ["Patch", "Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=512284", "source": "secalert@redhat.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51803", "source": "secalert@redhat.com"}, {"url": "https://www.redhat.com/en/blog/security-flaws-caused-compiler-optimizations", "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-119"}]}], "descriptions": [{"lang": "en", "value": "The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in the Linux kernel 2.6.30 and 2.6.30.1, when the -fno-delete-null-pointer-checks gcc option is omitted, allows local users to gain privileges via vectors involving a NULL pointer dereference and an mmap of /dev/net/tun, a different vulnerability than CVE-2009-1894."}, {"lang": "es", "value": "La funci\u00f3n tun_chr_poll en drivers/net/tun.c en el subsistema tun del kernel de Linux v2.6.30 y v2.6.30.1, cuando se omite la opci\u00f3n -fno-delete-null-pointer-checks en gcc, permite a atacantes locales obtener privilegios a trav\u00e9s de vectores que implican desreferenciacion de punteros NULL y un nmap de /dev/net/tun, es una vulnerabilidad diferente a CVE-2009-1894."}], "lastModified": "2023-02-13T02:20:14.337", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.30:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "10E55450-F6D9-483C-9CC8-E651E5A12AB1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.30:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "45273823-29EA-44DE-8444-3933402C5793"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.30:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "88F60E74-09DB-4D4A-B922-4A46EED0EC20"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.30:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E242D3DE-D1DC-406A-BCC3-C4380B7EC369"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.30:rc4:x86_32:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "06EFB3F7-2EAE-4A56-A9A1-E8C734E6B91E"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.30:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8598D6E5-0C5C-4A31-841A-C12801DB7D91"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.30:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "59800B0A-477B-42F8-A58A-5144F455AE01"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.30:rc7-git6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F166BF6B-BFB0-4206-BD59-179701572F1C"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.30.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "99AC6D46-A0BF-4F1D-88BB-03BF74FDB84F"}], "operator": "OR"}]}], "vendorComments": [{"comment": "Red Hat is aware of this issue and is tracking it via the following bug:\nhttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-1897\n\nThe flaw only affects the Red Hat Enterprise Linux 5.4 beta kernel, which includes a backport of the upstream bug fix introducing this flaw (git commit 33dccbb0). This issue did not affect the final released Red Hat Enterprise Linux 5.4 kernel. It is also possible to mitigate this flaw by ensuring that the permissions for /dev/net/tun is restricted to root only.\n\nThis issue does not affect any other released kernel in any Red Hat product.", "lastModified": "2009-09-02T00:00:00", "organization": "Red Hat"}], "sourceIdentifier": "secalert@redhat.com"}