CVE-2009-1072
Advisory lineage Upstream: 0 Downstream: 4
Modified
Published: 25 Mar 2009, 01:00
Last modified:07 Aug 2024, 04:57
Vulnerability Summary
Overall Risk (default)
low
20/100 CVSS Score
4.9 MEDIUM
v2.0 (nvd)
EPSS Score
0.59% LOW
1% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
25 Mar 2009, 01:00
Published
Vulnerability first disclosed
07 Aug 2024, 04:57
Last Modified
Vulnerability information updated
Description
nfsd in the Linux kernel before 2.6.28.9 does not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option.
CVSS Metrics
- v2.0•MEDIUM•Score: 4.9AV:L/AC:L/Au:N/C:N/I:C/A:N
EPSS Trends
Current EPSS score: 0.59%• Percentile: 70%
Techniques & Countermeasures
- CWE-16•Configuration
Weaknesses in this category are typically introduced during the configuration of the software.
Affected Systems
- canonical•ubuntu_linux
6.06 | 8.04 | 8.10 | 9.04
- debian•debian_linux
4.0 | 5.0
- linux•linux_kernel
< 2.6.28.9
- opensuse•opensuse
10.3 | 11.0 | 11.1
- suse•linux_enterprise_desktop
10:sp2
- suse•linux_enterprise_server
10:sp2
- vmware•esx
3.0.3 | 3.5 | 4.0
- vmware•server
2.0.0
- Unknown•vCenter Server
4.0
- vmware•virtualcenter
2.0.2 | 2.5
- vmware•vma
4.0
References (29)
- http://secunia.com/advisories/35390
- http://secunia.com/advisories/34432
- http://secunia.com/advisories/34422
- http://www.vupen.com/english/advisories/2009/0802
- http://secunia.com/advisories/34786
- http://www.openwall.com/lists/oss-security/2009/03/23/1
- http://www.securityfocus.com/bid/34205
- http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00002.html
- http://secunia.com/advisories/37471
- http://secunia.com/advisories/35656
- http://www.vmware.com/security/advisories/VMSA-2009-0016.html
- http://thread.gmane.org/gmane.linux.kernel/805280
- http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00000.html
- http://secunia.com/advisories/35185
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10314
- http://www.securityfocus.com/archive/1/507985/100/0/threaded
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8382
- http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00007.html
- http://www.ubuntu.com/usn/usn-793-1
- http://www.redhat.com/support/errata/RHSA-2009-1081.html
- http://www.debian.org/security/2009/dsa-1800
- http://secunia.com/advisories/35343
- http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.9
- https://exchange.xforce.ibmcloud.com/vulnerabilities/49356
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commitdiff%3Bh=76a67ec6fb79ff3570dcb5342142c16098299911
- http://secunia.com/advisories/35121
- http://www.vupen.com/english/advisories/2009/3316
- http://secunia.com/advisories/35394