Vulnerabilities > CVE-2007-2878 - Local Denial of Service vulnerability in Linux Kernel 2.6.21.1
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
COMPLETE Summary
The VFAT compat ioctls in the Linux kernel before 2.6.21.2, when run on a 64-bit system, allow local users to corrupt a kernel_dirent struct and cause a denial of service (system crash) via unknown vectors.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 |
Exploit-Db
| description | Linux Kernel 2.6.x VFat Compat IOCTLS Local Denial of Service Vulnerability. CVE-2007-2878. Dos exploit for linux platform |
| id | EDB-ID:30080 |
| last seen | 2016-02-03 |
| modified | 2007-05-24 |
| published | 2007-05-24 |
| reporter | Bart Oldeman |
| source | https://www.exploit-db.com/download/30080/ |
| title | Linux Kernel 2.6.x - VFat Compat IOCTLS Local Denial of Service Vulnerability |
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-0705.NASL description Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : * a flaw in the DRM driver for Intel graphics cards that allowed a local user to access any part of the main memory. To access the DRM functionality a user must have access to the X server which is granted through the graphical login. This also only affected systems with an Intel 965 or later graphic chipset. (CVE-2007-3851, Important) * a flaw in the VFAT compat ioctl handling on 64-bit systems that allowed a local user to corrupt a kernel_dirent struct and cause a denial of service (system crash). (CVE-2007-2878, Important) * a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important) * flaw in the CIFS filesystem which could cause the umask values of a process to not be honored. This affected CIFS filesystems where the Unix extensions are supported. (CVE-2007-3740, Important) * a flaw in the stack expansion when using the hugetlb kernel on PowerPC systems that allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) * a flaw in the ISDN CAPI subsystem that allowed a remote user to cause a denial of service or potential remote access. Exploitation would require the attacker to be able to send arbitrary frames over the ISDN network to the victim last seen 2020-06-01 modified 2020-06-02 plugin id 26050 published 2007-09-14 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/26050 title RHEL 5 : kernel (RHSA-2007:0705) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2007-0939.NASL description Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel is the core of the operating system. These updated kernel packages contain fixes for the following security issues : * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important) * A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important) * A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) * A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate) * A flaw was found in the CIFS file system handling. The mount option last seen 2020-06-01 modified 2020-06-02 plugin id 37953 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37953 title CentOS 4 : kernel (CESA-2007:0939) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2007-0705.NASL description From Red Hat Security Advisory 2007:0705 : Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : * a flaw in the DRM driver for Intel graphics cards that allowed a local user to access any part of the main memory. To access the DRM functionality a user must have access to the X server which is granted through the graphical login. This also only affected systems with an Intel 965 or later graphic chipset. (CVE-2007-3851, Important) * a flaw in the VFAT compat ioctl handling on 64-bit systems that allowed a local user to corrupt a kernel_dirent struct and cause a denial of service (system crash). (CVE-2007-2878, Important) * a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important) * flaw in the CIFS filesystem which could cause the umask values of a process to not be honored. This affected CIFS filesystems where the Unix extensions are supported. (CVE-2007-3740, Important) * a flaw in the stack expansion when using the hugetlb kernel on PowerPC systems that allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) * a flaw in the ISDN CAPI subsystem that allowed a remote user to cause a denial of service or potential remote access. Exploitation would require the attacker to be able to send arbitrary frames over the ISDN network to the victim last seen 2020-06-01 modified 2020-06-02 plugin id 67543 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67543 title Oracle Linux 5 : kernel (ELSA-2007-0705) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-489-1.NASL description A flaw was discovered in dvb ULE decapsulation. A remote attacker could send a specially crafted message and cause a denial of service. (CVE-2006-4623) The compat_sys_mount function allowed local users to cause a denial of service when mounting a smbfs filesystem in compatibility mode. (CVE-2006-7203) The Omnikey CardMan 4040 driver (cm4040_cs) did not limit the size of buffers passed to read() and write(). A local attacker could exploit this to execute arbitrary code with kernel privileges. (CVE-2007-0005) Due to an variable handling flaw in the ipv6_getsockopt_sticky() function a local attacker could exploit the getsockopt() calls to read arbitrary kernel memory. This could disclose sensitive data. (CVE-2007-1000) Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak kernel memory contents via an uninitialized stack buffer. A local attacker could exploit this flaw to view sensitive kernel information. (CVE-2007-1353) A flaw was discovered in the handling of netlink messages. Local attackers could cause infinite recursion leading to a denial of service. (CVE-2007-1861) The random number generator was hashing a subset of the available entropy, leading to slightly less random numbers. Additionally, systems without an entropy source would be seeded with the same inputs at boot time, leading to a repeatable series of random numbers. (CVE-2007-2453) A flaw was discovered in the PPP over Ethernet implementation. Local attackers could manipulate ioctls and cause kernel memory consumption leading to a denial of service. (CVE-2007-2525) An integer underflow was discovered in the cpuset filesystem. If mounted, local attackers could obtain kernel memory using large file offsets while reading the tasks file. This could disclose sensitive data. (CVE-2007-2875) Vilmos Nebehaj discovered that the SCTP netfilter code did not correctly validate certain states. A remote attacker could send a specially crafted packet causing a denial of service. (CVE-2007-2876) Luca Tettamanti discovered a flaw in the VFAT compat ioctls on 64-bit systems. A local attacker could corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878) A flaw was discovered in the cluster manager. A remote attacker could connect to the DLM port and block further DLM operations. (CVE-2007-3380) A flaw was discovered in the usblcd driver. A local attacker could cause large amounts of kernel memory consumption, leading to a denial of service. (CVE-2007-3513). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28090 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28090 title Ubuntu 6.06 LTS : linux-source-2.6.15 vulnerability (USN-489-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2007-0705.NASL description Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : * a flaw in the DRM driver for Intel graphics cards that allowed a local user to access any part of the main memory. To access the DRM functionality a user must have access to the X server which is granted through the graphical login. This also only affected systems with an Intel 965 or later graphic chipset. (CVE-2007-3851, Important) * a flaw in the VFAT compat ioctl handling on 64-bit systems that allowed a local user to corrupt a kernel_dirent struct and cause a denial of service (system crash). (CVE-2007-2878, Important) * a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important) * flaw in the CIFS filesystem which could cause the umask values of a process to not be honored. This affected CIFS filesystems where the Unix extensions are supported. (CVE-2007-3740, Important) * a flaw in the stack expansion when using the hugetlb kernel on PowerPC systems that allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) * a flaw in the ISDN CAPI subsystem that allowed a remote user to cause a denial of service or potential remote access. Exploitation would require the attacker to be able to send arbitrary frames over the ISDN network to the victim last seen 2020-06-01 modified 2020-06-02 plugin id 43648 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43648 title CentOS 5 : kernel (CESA-2007:0705) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2007-0939.NASL description From Red Hat Security Advisory 2007:0939 : Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel is the core of the operating system. These updated kernel packages contain fixes for the following security issues : * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important) * A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important) * A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) * A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate) * A flaw was found in the CIFS file system handling. The mount option last seen 2020-06-01 modified 2020-06-02 plugin id 67580 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67580 title Oracle Linux 4 : kernel (ELSA-2007-0939) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-486-1.NASL description The compat_sys_mount function allowed local users to cause a denial of service when mounting a smbfs filesystem in compatibility mode. (CVE-2006-7203) The Omnikey CardMan 4040 driver (cm4040_cs) did not limit the size of buffers passed to read() and write(). A local attacker could exploit this to execute arbitrary code with kernel privileges. (CVE-2007-0005) Due to a variable handling flaw in the ipv6_getsockopt_sticky() function a local attacker could exploit the getsockopt() calls to read arbitrary kernel memory. This could disclose sensitive data. (CVE-2007-1000) Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak kernel memory contents via an uninitialized stack buffer. A local attacker could exploit this flaw to view sensitive kernel information. (CVE-2007-1353) A flaw was discovered in the handling of netlink messages. Local attackers could cause infinite recursion leading to a denial of service. (CVE-2007-1861) A flaw was discovered in the IPv6 stack last seen 2020-06-01 modified 2020-06-02 plugin id 28087 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28087 title Ubuntu 6.10 : linux-source-2.6.17 vulnerabilities (USN-486-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-510-1.NASL description A flaw was discovered in the PPP over Ethernet implementation. Local attackers could manipulate ioctls and cause kernel memory consumption leading to a denial of service. (CVE-2007-2525) An integer underflow was discovered in the cpuset filesystem. If mounted, local attackers could obtain kernel memory using large file offsets while reading the tasks file. This could disclose sensitive data. (CVE-2007-2875) Vilmos Nebehaj discovered that the SCTP netfilter code did not correctly validate certain states. A remote attacker could send a specially crafted packet causing a denial of service. (CVE-2007-2876) Luca Tettamanti discovered a flaw in the VFAT compat ioctls on 64-bit systems. A local attacker could corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878) A flaw in the sysfs_readdir function allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104) A buffer overflow was discovered in the random number generator. In environments with granular assignment of root privileges, a local attacker could gain additional privileges. (CVE-2007-3105) A flaw was discovered in the usblcd driver. A local attacker could cause large amounts of kernel memory consumption, leading to a denial of service. (CVE-2007-3513) Zhongling Wen discovered that the h323 conntrack handler did not correctly handle certain bitfields. A remote attacker could send a specially crafted packet and cause a denial of service. (CVE-2007-3642) A flaw was discovered in the CIFS mount security checking. Remote attackers could spoof CIFS network traffic, which could lead a client to trust the connection. (CVE-2007-3843) It was discovered that certain setuid-root processes did not correctly reset process death signal handlers. A local user could manipulate this to send signals to processes they would not normally have access to. (CVE-2007-3848) The Direct Rendering Manager for the i915 driver could be made to write to arbitrary memory locations. An attacker with access to a running X11 session could send a specially crafted buffer and gain root privileges. (CVE-2007-3851) It was discovered that the aacraid SCSI driver did not correctly check permissions on certain ioctls. A local attacker could cause a denial of service or gain privileges. (CVE-2007-4308). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28114 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28114 title Ubuntu 7.04 : linux-source-2.6.20 vulnerabilities (USN-510-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1479.NASL description Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-2878 Bart Oldeman reported a denial of service (DoS) issue in the VFAT filesystem that allows local users to corrupt a kernel structure resulting in a system crash. This is only an issue for systems which make use of the VFAT compat ioctl interface, such as systems running an last seen 2020-06-01 modified 2020-06-02 plugin id 30126 published 2008-01-30 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/30126 title Debian DSA-1479-1 : linux-2.6 - several vulnerabilities NASL family Scientific Linux Local Security Checks NASL id SL_20071101_KERNEL_ON_SL4_X.NASL description - A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) - A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important) - A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important) - A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate) - A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) - A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) - A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate) - A flaw was found in the CIFS file system handling. The mount option last seen 2020-06-01 modified 2020-06-02 plugin id 60280 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60280 title Scientific Linux Security Update : kernel on SL4.x i386/x86_64 NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-0939.NASL description Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel is the core of the operating system. These updated kernel packages contain fixes for the following security issues : * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important) * A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important) * A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) * A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate) * A flaw was found in the CIFS file system handling. The mount option last seen 2020-06-01 modified 2020-06-02 plugin id 27616 published 2007-11-02 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27616 title RHEL 4 : kernel (RHSA-2007:0939)
Oval
| accepted | 2013-04-29T04:15:17.703-04:00 | ||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||
| description | The VFAT compat ioctls in the Linux kernel before 2.6.21.2, when run on a 64-bit system, allow local users to corrupt a kernel_dirent struct and cause a denial of service (system crash) via unknown vectors. | ||||||||||||||||||||||||
| family | unix | ||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:11674 | ||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||||||
| title | The VFAT compat ioctls in the Linux kernel before 2.6.21.2, when run on a 64-bit system, allow local users to corrupt a kernel_dirent struct and cause a denial of service (system crash) via unknown vectors. | ||||||||||||||||||||||||
| version | 27 |
Redhat
| advisories |
| ||||||||
| rpms |
|
Statements
| contributor | Mark J Cox |
| lastmodified | 2007-10-18 |
| organization | Red Hat |
| statement | This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3. |
References
- http://osvdb.org/35926
- http://secunia.com/advisories/25505
- http://secunia.com/advisories/26133
- http://secunia.com/advisories/26139
- http://secunia.com/advisories/26760
- http://secunia.com/advisories/27436
- http://secunia.com/advisories/27747
- http://secunia.com/advisories/28626
- http://support.avaya.com/elmodocs2/security/ASA-2007-474.htm
- http://www.debian.org/security/2008/dsa-1479
- http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.2
- http://www.redhat.com/support/errata/RHSA-2007-0705.html
- http://www.redhat.com/support/errata/RHSA-2007-0939.html
- http://www.securityfocus.com/bid/24134
- http://www.ubuntu.com/usn/usn-486-1
- http://www.ubuntu.com/usn/usn-489-1
- http://www.ubuntu.com/usn/usn-510-1
- http://www.vupen.com/english/advisories/2007/2023
- https://exchange.xforce.ibmcloud.com/vulnerabilities/34669
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11674