CVE-2009-2908
published 2009-10-13CVE-2009-2908: The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the Linux kernel 2.6.31 allows local users to cause a denial of service (kernel OOPS) and possibly…
PriorityP274medium4.9CVSS 2.0
AVLACLAuNCNINAC
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.22%
65.0th percentile
The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the Linux kernel 2.6.31 allows local users to cause a denial of service (kernel OOPS) and possibly execute arbitrary code via unspecified vectors that cause a "negative dentry" and trigger a NULL pointer dereference, as demonstrated via a Mutt temporary directory in an eCryptfs mount.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | — | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
rule Linux_Exploit_CVE_2009_2908_406c2fef {
meta:
author = "Elastic Security"
id = "406c2fef-0f1a-441a-96b9-e4168c283c90"
fingerprint = "94a94217823a8d682ba27889ba2b53fef7b18ae14d75a73456f21184e51581cf"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.CVE-2009-2908"
reference_sample = "1e05a23f5b3b9cfde183aec26b723147e1816b95dc0fb7f9ac57376efcb22fcd"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 74 00 66 70 72 69 6E 74 66 00 66 77 72 69 74 65 00 64 65 73 }
condition:
all of them
}bytes↗
74 00 66 70 72 69 6E 74 66 00 66 77 72 69 74 65 00 64 65 73
- →Exploit triggers a NULL pointer dereference via a 'negative dentry' in eCryptfs; look for kernel OOPS traces referencing ecryptfs_read_update_atime() or ecryptfs_getxattr() with a NULL d_inode dereference. ↗
- →Exploit can be triggered via a Mutt temporary directory created inside an eCryptfs mount; monitor for Mutt process activity on eCryptfs-mounted filesystems. ↗
- →Scan files and memory on Linux x86 systems for the Elastic YARA rule Linux_Exploit_CVE_2009_2908_406c2fef using the byte signature { 74 00 66 70 72 69 6E 74 66 00 66 77 72 69 74 65 00 64 65 73 }. ↗
- →The exploit involves calling vfs_unlink() on the lower dentry, causing d_delete() to turn the dentry into a negative dentry when d_count is 1; kernel audit logs showing unexpected unlink operations on eCryptfs lower dentries may indicate exploitation. ↗
- ·Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG kernels do not include eCryptfs support and are not affected by this CVE. ↗
- ·Only Linux kernel version 2.6.31 is explicitly cited as vulnerable; systems running kernels without eCryptfs compiled in are not affected. ↗
CVSS provenance
nvdv2.04.9MEDIUMAV:L/AC:L/Au:N/C:N/I:N/A:C
vulncheck4.9MEDIUM
vendor_redhat4.9MEDIUM
vendor_ubuntu4.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f3r5-84q7-26q7: The d_delete function in fs/ecryptfs/inode
ghsa_unreviewed·2022-05-02
CVE-2009-2908 [MEDIUM] GHSA-f3r5-84q7-26q7: The d_delete function in fs/ecryptfs/inode
The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the Linux kernel 2.6.31 allows local users to cause a denial of service (kernel OOPS) and possibly execute arbitrary code via unspecified vectors that cause a "negative dentry" and trigger a NULL pointer dereference, as demonstrated via a Mutt temporary directory in an eCryptfs mount.
VulnCheck
Linux Kernel NULL Pointer Dereference
vulncheck·2009·CVSS 4.9
CVE-2009-2908 [MEDIUM] Linux Kernel NULL Pointer Dereference
Linux Kernel NULL Pointer Dereference
The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the Linux kernel 2.6.31 allows local users to cause a denial of service (kernel OOPS) and possibly execute arbitrary code via unspecified vectors that cause a "negative dentry" and trigger a NULL pointer dereference, as demonstrated via a Mutt temporary directory in an eCryptfs mount.
Affected: Linux Kernel
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://flare.io/learn/resources/blog/old-school-irc-new-victims-inside-the-newly-discovered-sshstalker-linux-botnet
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2009-10-22·CVSS 4.4
CVE-2009-3238 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Linux kernel vulnerabilities
Solar Designer discovered that the z90crypt driver did not correctly
check capabilities. A local attacker could exploit this to shut down
the device, leading to a denial of service. Only affected Ubuntu 6.06.
(CVE-2009-1883)
Michael Buesch discovered that the SGI GRU driver did not correctly check
the length when setting options. A local attacker could exploit this
to write to the kernel stack, leading to root privilege escalation or
a denial of service. Only affected Ubuntu 8.10 and 9.04. (CVE-2009-2584)
It was discovered that SELinux did not fully implement the mmap_min_addr
restrictions. A local attacker could exploit this to allocate the
NULL memory page which could lead to further attacks against kernel
NULL
Red Hat
kernel ecryptfs NULL pointer dereference
vendor_redhat·2009-09-22·CVSS 4.9
CVE-2009-2908 [MEDIUM] CWE-476 kernel ecryptfs NULL pointer dereference
kernel ecryptfs NULL pointer dereference
The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the Linux kernel 2.6.31 allows local users to cause a denial of service (kernel OOPS) and possibly execute arbitrary code via unspecified vectors that cause a "negative dentry" and trigger a NULL pointer dereference, as demonstrated via a Mutt temporary directory in an eCryptfs mount.
Statement: The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG do not include support for eCryptfs, and therefore are not affected by this issue.
No public exploits indexed.
Bugzilla
CVE-2009-2908 kernel ecryptfs NULL pointer dereference
bugzilla·2009-10-06·CVSS 4.9
CVE-2009-2908 [MEDIUM] CVE-2009-2908 kernel ecryptfs NULL pointer dereference
CVE-2009-2908 kernel ecryptfs NULL pointer dereference
A flaw was found in ecryptfs which can result in a NULL pointer dereference. Quoting the commit message:
When calling vfs_unlink() on the lower dentry, d_delete() turns the
dentry into a negative dentry when the d_count is 1. This eventually
caused a NULL pointer deref when a read() or write() was done and the
negative dentry's d_inode was dereferenced in
ecryptfs_read_update_atime() or ecryptfs_getxattr().
The upstream commit is here:
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.31.y.git;a=commit;h=afc2b6932f48f200736d3e36ad66fee0ec733136
There is a launchpad bug with more details here:
https://bugs.launchpad.net/ecryptfs/+bug/387073
Discussion:
I suspect this flaw could result in arbitrary code execution, but I'm
arXiv
The Security War in File Systems: An Empirical Study from A Vulnerability-Centric Perspective
arxiv_fulltext·2022-04-26
The Security War in File Systems: An Empirical Study from A Vulnerability-Centric Perspective
The Security War in File Systems: An Empirical Study from A Vulnerability-Centric Perspective
## Abstract
This paper presents a systematic study on the security of modern file systems,
following a vulnerability-centric perspective. Specifically,
we collected 377 file system vulnerabilities committed to the CVE database in the past 20 years.
We characterize them from four dimensions that include why the vulnerabilities appear,
how the vulnerabilities can be exploited, what consequences can arise,
and how the vulnerabilities are fixed. This way, we build a deep understanding of
the attack surfaces faced by file systems, the threats imposed by the attack surfaces,
and the good and bad practices in mitigating the attacks in file systems. We envision that our study
will bring insights toward
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.31.y.git%3Ba=commit%3Bh=afc2b6932f48f200736d3e36ad66fee0ec733136http://lists.vmware.com/pipermail/security-announce/2010/000082.htmlhttp://secunia.com/advisories/37075http://secunia.com/advisories/37105http://secunia.com/advisories/38794http://secunia.com/advisories/38834http://www.openwall.com/lists/oss-security/2009/10/06/1http://www.securityfocus.com/bid/36639http://www.ubuntu.com/usn/USN-852-1http://www.vupen.com/english/advisories/2010/0528https://bugs.launchpad.net/ecryptfs/+bug/387073https://bugzilla.redhat.com/show_bug.cgi?id=527534https://exchange.xforce.ibmcloud.com/vulnerabilities/53693https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10216https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6992https://rhn.redhat.com/errata/RHSA-2009-1548.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-October/msg00483.htmlhttp://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.31.y.git%3Ba=commit%3Bh=afc2b6932f48f200736d3e36ad66fee0ec733136http://lists.vmware.com/pipermail/security-announce/2010/000082.htmlhttp://secunia.com/advisories/37075http://secunia.com/advisories/37105http://secunia.com/advisories/38794http://secunia.com/advisories/38834http://www.openwall.com/lists/oss-security/2009/10/06/1http://www.securityfocus.com/bid/36639http://www.ubuntu.com/usn/USN-852-1http://www.vupen.com/english/advisories/2010/0528https://bugs.launchpad.net/ecryptfs/+bug/387073https://bugzilla.redhat.com/show_bug.cgi?id=527534https://exchange.xforce.ibmcloud.com/vulnerabilities/53693https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10216https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6992https://rhn.redhat.com/errata/RHSA-2009-1548.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-October/msg00483.html
2009-10-13
Published
Exploited in the wild