cbcvebase.
CVE-2009-2908
published 2009-10-13

CVE-2009-2908: The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the Linux kernel 2.6.31 allows local users to cause a denial of service (kernel OOPS) and possibly…

PriorityP274medium4.9CVSS 2.0
AVLACLAuNCNINAC
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.22%
65.0th percentile
The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the Linux kernel 2.6.31 allows local users to cause a denial of service (kernel OOPS) and possibly execute arbitrary code via unspecified vectors that cause a "negative dentry" and trigger a NULL pointer dereference, as demonstrated via a Mutt temporary directory in an eCryptfs mount.

Affected

1 ranges
VendorProductVersion rangeFixed in
linuxlinux_kernel

Detection & IOCsextracted from sources · hover to see the quote

hash1e05a23f5b3b9cfde183aec26b723147e1816b95dc0fb7f9ac57376efcb22fcd
pathfs/ecryptfs/inode.c
yara
rule Linux_Exploit_CVE_2009_2908_406c2fef {
 meta:
 author = "Elastic Security"
 id = "406c2fef-0f1a-441a-96b9-e4168c283c90"
 fingerprint = "94a94217823a8d682ba27889ba2b53fef7b18ae14d75a73456f21184e51581cf"
 creation_date = "2021-01-12"
 last_modified = "2021-09-16"
 threat_name = "Linux.Exploit.CVE-2009-2908"
 reference_sample = "1e05a23f5b3b9cfde183aec26b723147e1816b95dc0fb7f9ac57376efcb22fcd"
 severity = 100
 arch_context = "x86"
 scan_context = "file, memory"
 license = "Elastic License v2"
 os = "linux"
 strings:
 $a = { 74 00 66 70 72 69 6E 74 66 00 66 77 72 69 74 65 00 64 65 73 }
 condition:
 all of them
}
bytes
74 00 66 70 72 69 6E 74 66 00 66 77 72 69 74 65 00 64 65 73
  • Exploit triggers a NULL pointer dereference via a 'negative dentry' in eCryptfs; look for kernel OOPS traces referencing ecryptfs_read_update_atime() or ecryptfs_getxattr() with a NULL d_inode dereference.
  • Exploit can be triggered via a Mutt temporary directory created inside an eCryptfs mount; monitor for Mutt process activity on eCryptfs-mounted filesystems.
  • Scan files and memory on Linux x86 systems for the Elastic YARA rule Linux_Exploit_CVE_2009_2908_406c2fef using the byte signature { 74 00 66 70 72 69 6E 74 66 00 66 77 72 69 74 65 00 64 65 73 }.
  • The exploit involves calling vfs_unlink() on the lower dentry, causing d_delete() to turn the dentry into a negative dentry when d_count is 1; kernel audit logs showing unexpected unlink operations on eCryptfs lower dentries may indicate exploitation.
  • ·Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG kernels do not include eCryptfs support and are not affected by this CVE.
  • ·Only Linux kernel version 2.6.31 is explicitly cited as vulnerable; systems running kernels without eCryptfs compiled in are not affected.

CVSS provenance

nvdv2.04.9MEDIUMAV:L/AC:L/Au:N/C:N/I:N/A:C
vulncheck4.9MEDIUM
vendor_redhat4.9MEDIUM
vendor_ubuntu4.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.