ID CVE-2008-0600
Summary The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.
References
Vulnerable Configurations
  • Linux Kernel 2.6.17
    cpe:2.3:o:linux:linux_kernel:2.6.17
  • Linux Kernel 2.6.17 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.17:rc1
  • Linux Kernel 2.6.17 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:2.6.17:rc2
  • Linux Kernel 2.6.17 Release Candidate 3
    cpe:2.3:o:linux:linux_kernel:2.6.17:rc3
  • Linux Kernel 2.6.17 Release Candidate 4
    cpe:2.3:o:linux:linux_kernel:2.6.17:rc4
  • Linux Kernel 2.6.17 Release Candidate 5
    cpe:2.3:o:linux:linux_kernel:2.6.17:rc5
  • Linux Kernel 2.6.17 Release Candidate 6
    cpe:2.3:o:linux:linux_kernel:2.6.17:rc6
  • Linux Kernel 2.6.17.1
    cpe:2.3:o:linux:linux_kernel:2.6.17.1
  • Linux Kernel 2.6.17.2
    cpe:2.3:o:linux:linux_kernel:2.6.17.2
  • Linux Kernel 2.6.17.3
    cpe:2.3:o:linux:linux_kernel:2.6.17.3
  • Linux Kernel 2.6.17.4
    cpe:2.3:o:linux:linux_kernel:2.6.17.4
  • Linux Kernel 2.6.17.5
    cpe:2.3:o:linux:linux_kernel:2.6.17.5
  • Linux Kernel 2.6.17.6
    cpe:2.3:o:linux:linux_kernel:2.6.17.6
  • Linux Kernel 2.6.17.7
    cpe:2.3:o:linux:linux_kernel:2.6.17.7
  • Linux Kernel 2.6.17.8
    cpe:2.3:o:linux:linux_kernel:2.6.17.8
  • Linux Kernel 2.6.17.9
    cpe:2.3:o:linux:linux_kernel:2.6.17.9
  • Linux Kernel 2.6.17.10
    cpe:2.3:o:linux:linux_kernel:2.6.17.10
  • Linux Kernel 2.6.17.11
    cpe:2.3:o:linux:linux_kernel:2.6.17.11
  • Linux Kernel 2.6.17.12
    cpe:2.3:o:linux:linux_kernel:2.6.17.12
  • Linux Kernel 2.6.17.13
    cpe:2.3:o:linux:linux_kernel:2.6.17.13
  • Linux Kernel 2.6.17.14
    cpe:2.3:o:linux:linux_kernel:2.6.17.14
  • Linux Kernel 2.6.18
    cpe:2.3:o:linux:linux_kernel:2.6.18
  • Linux Kernel 2.6.18 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.18:rc1
  • Linux Kernel 2.6.18 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:2.6.18:rc2
  • Linux Kernel 2.6.18 Release Candidate 3
    cpe:2.3:o:linux:linux_kernel:2.6.18:rc3
  • Linux Kernel 2.6.18 Release Candidate 4
    cpe:2.3:o:linux:linux_kernel:2.6.18:rc4
  • Linux Kernel 2.6.18 Release Candidate 5
    cpe:2.3:o:linux:linux_kernel:2.6.18:rc5
  • Linux Kernel 2.6.18 Release Candidate 6
    cpe:2.3:o:linux:linux_kernel:2.6.18:rc6
  • Linux Kernel 2.6.18 Release Candidate 7
    cpe:2.3:o:linux:linux_kernel:2.6.18:rc7
  • Linux Kernel 2.6.18.1
    cpe:2.3:o:linux:linux_kernel:2.6.18.1
  • Linux Kernel 2.6.18.2
    cpe:2.3:o:linux:linux_kernel:2.6.18.2
  • Linux Kernel 2.6.18.3
    cpe:2.3:o:linux:linux_kernel:2.6.18.3
  • Linux Kernel 2.6.18.4
    cpe:2.3:o:linux:linux_kernel:2.6.18.4
  • Linux Kernel 2.6.18.5
    cpe:2.3:o:linux:linux_kernel:2.6.18.5
  • Linux Kernel 2.6.18.6
    cpe:2.3:o:linux:linux_kernel:2.6.18.6
  • Linux Kernel 2.6.18.7
    cpe:2.3:o:linux:linux_kernel:2.6.18.7
  • Linux Kernel 2.6.18.8
    cpe:2.3:o:linux:linux_kernel:2.6.18.8
  • Linux Kernel 2.6.19
    cpe:2.3:o:linux:linux_kernel:2.6.19
  • Linux Kernel 2.6.19 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.19:rc1
  • Linux Kernel 2.6.19 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:2.6.19:rc2
  • Linux Kernel 2.6.19 Release Candidate 3
    cpe:2.3:o:linux:linux_kernel:2.6.19:rc3
  • Linux Kernel 2.6.19 Release Candidate 4
    cpe:2.3:o:linux:linux_kernel:2.6.19:rc4
  • Linux Kernel 2.6.19.1
    cpe:2.3:o:linux:linux_kernel:2.6.19.1
  • Linux Kernel 2.6.19.2
    cpe:2.3:o:linux:linux_kernel:2.6.19.2
  • Linux Kernel 2.6.19.3
    cpe:2.3:o:linux:linux_kernel:2.6.19.3
  • Linux Kernel 2.6.20
    cpe:2.3:o:linux:linux_kernel:2.6.20
  • Linux Kernel 2.6.20 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:2.6.20:rc2
  • Linux Kernel 2.6.20.1
    cpe:2.3:o:linux:linux_kernel:2.6.20.1
  • Linux Kernel 2.6.20.2
    cpe:2.3:o:linux:linux_kernel:2.6.20.2
  • Linux Kernel 2.6.20.3
    cpe:2.3:o:linux:linux_kernel:2.6.20.3
  • Linux Kernel 2.6.20.4
    cpe:2.3:o:linux:linux_kernel:2.6.20.4
  • Linux Kernel 2.6.20.5
    cpe:2.3:o:linux:linux_kernel:2.6.20.5
  • Linux Kernel 2.6.20.6
    cpe:2.3:o:linux:linux_kernel:2.6.20.6
  • Linux Kernel 2.6.20.7
    cpe:2.3:o:linux:linux_kernel:2.6.20.7
  • Linux Kernel 2.6.20.8
    cpe:2.3:o:linux:linux_kernel:2.6.20.8
  • Linux Kernel 2.6.20.9
    cpe:2.3:o:linux:linux_kernel:2.6.20.9
  • Linux Kernel 2.6.20.10
    cpe:2.3:o:linux:linux_kernel:2.6.20.10
  • Linux Kernel 2.6.20.11
    cpe:2.3:o:linux:linux_kernel:2.6.20.11
  • Linux Kernel 2.6.20.12
    cpe:2.3:o:linux:linux_kernel:2.6.20.12
  • Linux Kernel 2.6.20.13
    cpe:2.3:o:linux:linux_kernel:2.6.20.13
  • Linux Kernel 2.6.20.14
    cpe:2.3:o:linux:linux_kernel:2.6.20.14
  • Linux Kernel 2.6.20.15
    cpe:2.3:o:linux:linux_kernel:2.6.20.15
  • Linux Kernel 2.6.21
    cpe:2.3:o:linux:linux_kernel:2.6.21
  • Linux Kernel 2.6.21 git1
    cpe:2.3:o:linux:linux_kernel:2.6.21:git1
  • Linux Kernel 2.6.21 git2
    cpe:2.3:o:linux:linux_kernel:2.6.21:git2
  • Linux Kernel 2.6.21 git3
    cpe:2.3:o:linux:linux_kernel:2.6.21:git3
  • Linux Kernel 2.6.21 git4
    cpe:2.3:o:linux:linux_kernel:2.6.21:git4
  • Linux Kernel 2.6.21 git5
    cpe:2.3:o:linux:linux_kernel:2.6.21:git5
  • Linux Kernel 2.6.21 git6
    cpe:2.3:o:linux:linux_kernel:2.6.21:git6
  • Linux Kernel 2.6.21 git7
    cpe:2.3:o:linux:linux_kernel:2.6.21:git7
  • Linux Kernel 2.6.21 Release Candidate 3
    cpe:2.3:o:linux:linux_kernel:2.6.21:rc3
  • Linux Kernel 2.6.21 Release Candidate 4
    cpe:2.3:o:linux:linux_kernel:2.6.21:rc4
  • Linux Kernel 2.6.21 Release Candidate 5
    cpe:2.3:o:linux:linux_kernel:2.6.21:rc5
  • Linux Kernel 2.6.21 Release Candidate 6
    cpe:2.3:o:linux:linux_kernel:2.6.21:rc6
  • Linux Kernel 2.6.21 Release Candidate 7
    cpe:2.3:o:linux:linux_kernel:2.6.21:rc7
  • Linux Kernel 2.6.21.1
    cpe:2.3:o:linux:linux_kernel:2.6.21.1
  • Linux Kernel 2.6.21.2
    cpe:2.3:o:linux:linux_kernel:2.6.21.2
  • Linux Kernel 2.6.21.3
    cpe:2.3:o:linux:linux_kernel:2.6.21.3
  • Linux Kernel 2.6.21.4
    cpe:2.3:o:linux:linux_kernel:2.6.21.4
  • Linux Kernel 2.6.22
    cpe:2.3:o:linux:linux_kernel:2.6.22
  • Linux Kernel 2.6.22 Release Candidate 6
    cpe:2.3:o:linux:linux_kernel:2.6.22:rc6
  • Linux Kernel 2.6.22.1
    cpe:2.3:o:linux:linux_kernel:2.6.22.1
  • Linux Kernel 2.6.22.3
    cpe:2.3:o:linux:linux_kernel:2.6.22.3
  • Linux Kernel 2.6.22.4
    cpe:2.3:o:linux:linux_kernel:2.6.22.4
  • Linux Kernel 2.6.22.5
    cpe:2.3:o:linux:linux_kernel:2.6.22.5
  • Linux Kernel 2.6.22.6
    cpe:2.3:o:linux:linux_kernel:2.6.22.6
  • Linux Kernel 2.6.22.7
    cpe:2.3:o:linux:linux_kernel:2.6.22.7
  • Linux Kernel 2.6.22.16
    cpe:2.3:o:linux:linux_kernel:2.6.22.16
  • Linux Kernel 2.6.23
    cpe:2.3:o:linux:linux_kernel:2.6.23
  • Linux Kernel 2.6.23 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.23:rc1
  • Linux Kernel 2.6.23 release candidate 2
    cpe:2.3:o:linux:linux_kernel:2.6.23:rc2
  • Linux Kernel 2.6.23.1
    cpe:2.3:o:linux:linux_kernel:2.6.23.1
  • Linux Kernel 2.6.23.2
    cpe:2.3:o:linux:linux_kernel:2.6.23.2
  • Linux Kernel 2.6.23.3
    cpe:2.3:o:linux:linux_kernel:2.6.23.3
  • Linux Kernel 2.6.23.4
    cpe:2.3:o:linux:linux_kernel:2.6.23.4
  • Linux Kernel 2.6.23.5
    cpe:2.3:o:linux:linux_kernel:2.6.23.5
  • Linux Kernel 2.6.23.6
    cpe:2.3:o:linux:linux_kernel:2.6.23.6
  • Linux Kernel 2.6.23.7
    cpe:2.3:o:linux:linux_kernel:2.6.23.7
  • Linux Kernel 2.6.23.9
    cpe:2.3:o:linux:linux_kernel:2.6.23.9
  • Linux Kernel 2.6.23.14
    cpe:2.3:o:linux:linux_kernel:2.6.23.14
  • Linux Kernel 2.6.24
    cpe:2.3:o:linux:linux_kernel:2.6.24
  • Linux Kernel 2.6.24 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:2.6.24:rc2
  • Linux Kernel 2.6.24 Release Candidate 3
    cpe:2.3:o:linux:linux_kernel:2.6.24:rc3
  • Linux Kernel 2.6.24.1
    cpe:2.3:o:linux:linux_kernel:2.6.24.1
CVSS
Base: 7.2 (as of 12-02-2008 - 17:57)
Impact:
Exploitability:
CWE CWE-94
CAPEC
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description Linux Kernel 2.6.23 - 2.6.24 vmsplice Local Root Exploit. CVE-2008-0009,CVE-2008-0010,CVE-2008-0600. Local exploit for linux platform
    file exploits/linux/local/5093.c
    id EDB-ID:5093
    last seen 2016-01-31
    modified 2008-02-09
    platform linux
    port
    published 2008-02-09
    reporter qaaz
    source https://www.exploit-db.com/download/5093/
    title Linux Kernel 2.6.23 <= 2.6.24 - vmsplice Local Root Exploit
    type local
  • description Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit. CVE-2008-0009,CVE-2008-0010,CVE-2008-0600. Local exploit for linux platform
    file exploits/linux/local/5092.c
    id EDB-ID:5092
    last seen 2016-01-31
    modified 2008-02-09
    platform linux
    port
    published 2008-02-09
    reporter qaaz
    source https://www.exploit-db.com/download/5092/
    title Linux Kernel 2.6.17 <= 2.6.24.1 - vmsplice Local Root Exploit
    type local
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-1423.NASL
    description Update to Linux kernel 2.6.23.15: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.23.15 Fix vmsplice local root vulnerability: CVE-2008-0009: Fixed by update to 2.6.23.15. CVE-2008-0010: Fixed by update to 2.6.23.15. CVE-2008-0600: Extra fix from upstream applied. Fix memory leak in netlabel code. Work around broken Seagate LBA48 disks. (#429364) Fix futex oops on uniprocessor machine. (#429412) Add support for new Macbook touchpads. (#426574) Fix the initio driver broken in 2.6.23. (#390531) Fix segfaults from using vdso=2. (#427641) FireWire updates, fixing multiple problems. (#429598) ACPI: fix multiple problems with brightness controls (#427518) Fix Megahertz PCMCIA Ethernet adapter (#233255) Fix oops in netfilter. (#430663) ACPI: fix early init of EC (#426480) ALSA: fix audio on some systems with STAC codec (#431360) Atheros L2 fast Ethernet driver (atl2) for ASUS Eeepc. ASUS Eeepc ACPI hotkey driver. Wireless driver updates from upstream. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 31030
    published 2008-02-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31030
    title Fedora 8 : kernel-2.6.23.15-137.fc8 (2008-1423)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-1422.NASL
    description Update to Linux kernel 2.6.23.15: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.23.15 Fix vmsplice local root vulnerability: CVE-2008-0009: Fixed by update to 2.6.23.15. CVE-2008-0010: Fixed by update to 2.6.23.15. CVE-2008-0600: Extra fix from upstream applied. Fix memory leak in netlabel code (#352281) Autoload the Dell dcdbas driver like in F8 (#326041) Work around broken Seagate LBA48 disks. (F8#429364) Fix futex oops on uniprocessor machine. (F8#429412) Add support for new Macbook touchpads. (F8#426574) Fix the initio driver broken in 2.6.23. (F8#390531) Fix segfaults from using vdso=2. (F8#427641) FireWire updates, fixing multiple problems. ACPI: fix multiple problems with brightness controls (F8#427518) Wireless driver updates from upstream. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 31029
    published 2008-02-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31029
    title Fedora 7 : kernel-2.6.23.15-80.fc7 (2008-1422)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2008-042-01.NASL
    description New kernel packages are available for Slackware 12.0, and -current to fix a local root exploit.
    last seen 2019-02-21
    modified 2016-12-09
    plugin id 31027
    published 2008-02-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31027
    title Slackware 12.0 / current : kernel exploit fix (SSA:2008-042-01)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2008-043.NASL
    description A flaw in the vmsplice system call did not properly verify address arguments passed by user-space processes, which allowed local attackers to overwrite arbitrary kernel memory and gain root privileges. Mandriva urges all users to upgrade to these new kernels immediately as this flaw is being actively exploited. This issue only affects 2.6.17 and newer Linux kernels, so neither Corporate 3.0 nor Corporate 4.0 are affected. To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 36383
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36383
    title Mandriva Linux Security Advisory : kernel (MDVSA-2008:043)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1494.NASL
    description The vmsplice system call did not properly verify address arguments passed by user space processes, which allowed local attackers to overwrite arbitrary kernel memory, gaining root privileges (CVE-2008-0010, CVE-2008-0600 ). In the vserver-enabled kernels, a missing access check on certain symlinks in /proc enabled local attackers to access resources in other vservers (CVE-2008-0163 ).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 31028
    published 2008-02-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31028
    title Debian DSA-1494-2 : linux-2.6 - missing access checks
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2008-0129.NASL
    description From Red Hat Security Advisory 2008:0129 : Updated kernel packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. A flaw was found in vmsplice. An unprivileged local user could use this flaw to gain root privileges. (CVE-2008-0600) Red Hat is aware that a public exploit for this issue is available. This issue did not affect the Linux kernels distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue.
    last seen 2019-02-21
    modified 2016-05-20
    plugin id 67651
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67651
    title Oracle Linux 5 : kernel (ELSA-2008-0129)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-577-1.NASL
    description Wojciech Purczynski discovered that the vmsplice system call did not properly perform verification of user-memory pointers. A local attacker could exploit this to overwrite arbitrary kernel memory and gain root privileges. (CVE-2008-0600). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 31092
    published 2008-02-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31092
    title Ubuntu 6.10 / 7.04 / 7.10 : linux-source-2.6.17/20/22 vulnerability (USN-577-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-5339.NASL
    description This kernel update fixes the following security problems: CVE-2008-2136: A problem in SIT IPv6 tunnel handling could be used by remote attackers to immediately crash the machine. CVE-2008-1615: On x86_64 a denial of service attack could be used by local attackers to immediately panic / crash the machine. CVE-2008-2148: The permission checking in sys_utimensat was incorrect and local attackers could change the filetimes of files they do not own to the current time. CVE-2008-1669: Fixed a SMP ordering problem in fcntl_setlk could potentially allow local attackers to execute code by timing file locking. CVE-2008-1375: Fixed a dnotify race condition, which could be used by local attackers to potentially execute code. CVE-2007-6282: A remote attacker could crash the IPSec/IPv6 stack by sending a bad ESP packet. This requires the host to be able to receive such packets (default filtered by the firewall). CVE-2008-1367: Clear the 'direction' flag before calling signal handlers. For specific not yet identified programs under specific timing conditions this could potentially have caused memory corruption or code execution. And the following bugs (numbers are https://bugzilla.novell.com/ references) : - patches.fixes/input-add-amilo-pro-v-to-nomux.patch: Update the patch to include also 2030 model to nomux list (bnc#389169). - patches.apparmor/fix-net.diff: AppArmor: fix Oops in apparmor_socket_getpeersec_dgram() (bnc#378608). - patches.fixes/input-alps-update.patch: Input: fix the AlpsPS2 driver (bnc#357881). - patches.arch/cpufreq_fix_acpi_driver_on_BIOS_changes.patch: CPUFREQ: Check against freq changes from the BIOS (334378). - patches.fixes/ieee1394-limit-early-node-speed-to-host-interf ace-speed: ieee1394: limit early node speed to host interface speed (381304). - patches.fixes/forcedeth_realtec_phy_fix: Fix a regression to the GA kernel for some forcedeth cards (bnc#379478) - pci-revert-SMBus-unhide-on-nx6110.patch: Do not unhide the SMBus on the HP Compaq nx6110, it's unsafe. - patches.drivers/e1000-disable-l1aspm.patch: Disable L1 ASPM power savings for 82573 mobile variants, it's broken (bnc#254713, LTC34077). - patches.drivers/libata-improve-hpa-error-handling: libata: improve HPA error handling (365534). - rpm/kernel-binary.spec.in: Added Conflicts: libc.so.6()(64bit) to i386 arch (364433). - patches.drivers/libata-disallow-sysfs-read-access-to-force-p aram: libata: don't allow sysfs read access to force param (362599). - patches.suse/bonding-workqueue: Update to fix a hang when closing a bonding device (342994). - patches.fixes/mptspi-dv-renegotiate-oops: mptlinux crashes on kernel 2.6.22 (bnc#271749). - patches.drivers/usb-update-sierra-and-option-device-ids-from -2.6.25-rc3.patch: USB: update sierra and option device ids from 2.6.25-rc3 (343167). - patches.arch/x86-nvidia-timer-quirk: Disable again (#302327) The PCI ID lists are not complete enough and let's have the same crap as mainline for this for now. - patches.fixes/input-add-lenovo-3000-n100-to-nomux.patch: Input: add Lenovo 3000 N100 to nomux blacklist (bnc#284013). - patches.suse/bonding-bh-locking: Add missing chunks. The SLES10 SP1 version of the patch was updated in May 2007 but the openSuse 10.3 version was forgotten (260069). - patches.fixes/knfsd-Allow-NFSv2-3-WRITE-calls-to-succeed-whe n-krb.patch: knfsd: Allow NFSv2/3 WRITE calls to succeed when krb5i etc is used. (348737). - patches.fixes/md-fix-an-occasional-deadlock-in-raid5.patch: md: fix an occasional deadlock in raid5 (357088). - patches.drivers/libata-quirk_amd_ide_mode: PCI: modify SATA IDE mode quirk (345124). - Fix section mismatch build failure w/ gcc 4.1.2. bug #361086. - patches.drivers/libata-implement-force-parameter: libata: implement libata.force module parameter (337610). Lots of XEN Fixes (not detailed listed). Lots of RT Fixes (not detailed listed). - Update to 2.6.22.18 - removes upstreamed patch : - patches.fixes/vmsplice-pipe-exploit (CVE-2008-0600)
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 33253
    published 2008-06-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33253
    title openSUSE 10 Security Update : kernel (kernel-5339)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2008-0129.NASL
    description Updated kernel packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. A flaw was found in vmsplice. An unprivileged local user could use this flaw to gain root privileges. (CVE-2008-0600) Red Hat is aware that a public exploit for this issue is available. This issue did not affect the Linux kernels distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 31054
    published 2008-02-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31054
    title CentOS 5 : kernel (CESA-2008:0129)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2008-2002.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - [x86_64] kernel vmsplice_to_pipe flaw (Alexander Viro) [432252] (CVE-2008-0600)
    last seen 2019-02-21
    modified 2017-02-14
    plugin id 79445
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79445
    title OracleVM 2.1 : kernel (OVMSA-2008-2002)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0129.NASL
    description Updated kernel packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. A flaw was found in vmsplice. An unprivileged local user could use this flaw to gain root privileges. (CVE-2008-0600) Red Hat is aware that a public exploit for this issue is available. This issue did not affect the Linux kernels distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 31086
    published 2008-02-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31086
    title RHEL 5 : kernel (RHSA-2008:0129)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20080212_KERNEL_ON_SL5_X.NASL
    description A flaw was found in vmsplice. An unprivileged local user could use this flaw to gain root privileges. (CVE-2008-0600) There is a public available exploit for this issue.
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60358
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60358
    title Scientific Linux Security Update : kernel on SL5.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4986.NASL
    description This kernel update fixes the following security problems : - CVE-2008-0600: A local privilege escalation was found in the vmsplice_pipe system call, which could be used by local attackers to gain root access. - CVE-2007-6206: Core dumps from root might be accessible to the wrong owner. And the following bugs (numbers are https://bugzilla.novell.com/ references) : - Update to minor kernel version 2.6.22.17 - networking bugfixes - contains the following patches which were removed : - patches.arch/acpica-psd.patch - patches.fixes/invalid-semicolon - patches.fixes/nopage-range-fix.patch - patches.arch/acpi_thermal_blacklist_add_r50p.patch: Avoid critical temp shutdowns on specific Thinkpad R50p (https://bugzilla.novell.com/show_bug.cgi?id=333043). - Update config files. CONFIG_USB_DEBUG in debug kernel - patches.rt/megasas_IRQF_NODELAY.patch: Convert megaraid sas IRQ to non-threaded IRQ (337489). - patches.drivers/libata-implement-force-parameter added to series.conf. - patches.xen/xen3-fixup-arch-i386: xen3 i386 build fixes. - patches.xen/xenfb-module-param: Re: Patching Xen virtual framebuffer.
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 31089
    published 2008-02-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31089
    title openSUSE 10 Security Update : kernel (kernel-4986)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2008-044.NASL
    description The wait_task_stopped function in the Linux kernel before 2.6.23.8 checks a TASK_TRACED bit instead of an exit_state value, which allows local users to cause a denial of service (machine crash) via unspecified vectors. NOTE: some of these details are obtained from third-party information. (CVE-2007-5500) The tcp_sacktag_write_queue function in the Linux kernel 2.6.21 through 2.6.23.7 allowed remote attackers to cause a denial of service (crash) via crafted ACK responses that trigger a NULL pointer dereference (CVE-2007-5501). The do_corefump function in fs/exec.c in the Linux kernel prior to 2.6.24-rc3 did not change the UID of a core dump file if it exists before a root process creates a core dump in the same location, which could possibly allow local users to obtain sensitive information (CVE-2007-6206). VFS in the Linux kernel before 2.6.22.16 performed tests of access mode by using the flag variable instead of the acc_mode variable, which could possibly allow local users to bypass intended permissions and remove directories (CVE-2008-0001). The Linux kernel prior to 2.6.22.17, when using certain drivers that register a fault handler that does not perform range checks, allowed local users to access kernel memory via an out-of-range offset (CVE-2008-0007). A flaw in the vmsplice system call did not properly verify address arguments passed by user-space processes, which allowed local attackers to overwrite arbitrary kernel memory and gain root privileges (CVE-2008-0600). Mandriva urges all users to upgrade to these new kernels immediately as the CVE-2008-0600 flaw is being actively exploited. This issue only affects 2.6.17 and newer Linux kernels, so neither Corporate 3.0 nor Corporate 4.0 are affected. Additionally, this kernel updates the version from 2.6.22.12 to 2.6.22.18 and fixes numerous other bugs, including : - fix freeze when ejecting a cm40x0 PCMCIA card - fix crash on unloading netrom - fixes alsa-related sound issues on Dell XPS M1210 and M1330 models - the HZ value was increased on the laptop kernel to increase interactivity and reduce latency - netfilter ipset, psd, and ifwlog support was re-enabled - unionfs was reverted to a working 1.4 branch that is less buggy To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 36924
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36924
    title Mandriva Linux Security Advisory : kernel (MDVSA-2008:044)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-1433.NASL
    description CVE-2008-0600 fix (bug #432517) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-01-14
    plugin id 31059
    published 2008-02-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31059
    title Fedora 8 : kernel-xen-2.6-2.6.21-2957.fc8 (2008-1433)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-1629.NASL
    description CVE-2008-0600 fix (bug #432517) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-01-14
    plugin id 31078
    published 2008-02-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31078
    title Fedora 7 : kernel-xen-2.6-2.6.21-7.fc7 (2008-1629)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4987.NASL
    description This kernel update fixes the following security problems : - CVE-2008-0600: A local privilege escalation was found in the vmsplice_pipe system call, which could be used by local attackers to gain root access. - CVE-2007-6151: The isdn_ioctl function in isdn_common.c allowed local users to cause a denial of service via a crafted ioctl struct in which iocts is not null terminated, which triggers a buffer overflow.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 31090
    published 2008-02-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31090
    title openSUSE 10 Security Update : kernel (kernel-4987)
oval via4
accepted 2013-04-29T04:13:30.467-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.
family unix
id oval:org.mitre.oval:def:11358
status accepted
submitted 2010-07-09T03:56:16-04:00
title The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.
version 18
redhat via4
advisories
bugzilla
id 432251
title CVE-2008-0600 kernel vmsplice_to_pipe flaw
oval
AND
  • comment Red Hat Enterprise Linux 5 is installed
    oval oval:com.redhat.rhba:tst:20070331001
  • OR
    • AND
      • comment kernel is earlier than 0:2.6.18-53.1.13.el5
        oval oval:com.redhat.rhsa:tst:20080129002
      • comment kernel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314003
    • AND
      • comment kernel-PAE is earlier than 0:2.6.18-53.1.13.el5
        oval oval:com.redhat.rhsa:tst:20080129020
      • comment kernel-PAE is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314021
    • AND
      • comment kernel-PAE-devel is earlier than 0:2.6.18-53.1.13.el5
        oval oval:com.redhat.rhsa:tst:20080129022
      • comment kernel-PAE-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314023
    • AND
      • comment kernel-debug is earlier than 0:2.6.18-53.1.13.el5
        oval oval:com.redhat.rhsa:tst:20080129014
      • comment kernel-debug is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314015
    • AND
      • comment kernel-debug-devel is earlier than 0:2.6.18-53.1.13.el5
        oval oval:com.redhat.rhsa:tst:20080129008
      • comment kernel-debug-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314009
    • AND
      • comment kernel-devel is earlier than 0:2.6.18-53.1.13.el5
        oval oval:com.redhat.rhsa:tst:20080129006
      • comment kernel-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314007
    • AND
      • comment kernel-doc is earlier than 0:2.6.18-53.1.13.el5
        oval oval:com.redhat.rhsa:tst:20080129024
      • comment kernel-doc is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314025
    • AND
      • comment kernel-headers is earlier than 0:2.6.18-53.1.13.el5
        oval oval:com.redhat.rhsa:tst:20080129004
      • comment kernel-headers is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314005
    • AND
      • comment kernel-kdump is earlier than 0:2.6.18-53.1.13.el5
        oval oval:com.redhat.rhsa:tst:20080129016
      • comment kernel-kdump is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314017
    • AND
      • comment kernel-kdump-devel is earlier than 0:2.6.18-53.1.13.el5
        oval oval:com.redhat.rhsa:tst:20080129018
      • comment kernel-kdump-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314019
    • AND
      • comment kernel-xen is earlier than 0:2.6.18-53.1.13.el5
        oval oval:com.redhat.rhsa:tst:20080129010
      • comment kernel-xen is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314011
    • AND
      • comment kernel-xen-devel is earlier than 0:2.6.18-53.1.13.el5
        oval oval:com.redhat.rhsa:tst:20080129012
      • comment kernel-xen-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314013
rhsa
id RHSA-2008:0129
released 2008-02-12
severity Important
title RHSA-2008:0129: kernel security update (Important)
rpms
  • kernel-0:2.6.18-53.1.13.el5
  • kernel-PAE-0:2.6.18-53.1.13.el5
  • kernel-PAE-devel-0:2.6.18-53.1.13.el5
  • kernel-debug-0:2.6.18-53.1.13.el5
  • kernel-debug-devel-0:2.6.18-53.1.13.el5
  • kernel-devel-0:2.6.18-53.1.13.el5
  • kernel-doc-0:2.6.18-53.1.13.el5
  • kernel-headers-0:2.6.18-53.1.13.el5
  • kernel-kdump-0:2.6.18-53.1.13.el5
  • kernel-kdump-devel-0:2.6.18-53.1.13.el5
  • kernel-xen-0:2.6.18-53.1.13.el5
  • kernel-xen-devel-0:2.6.18-53.1.13.el5
refmap via4
bid
  • 27704
  • 27801
bugtraq 20080212 rPSA-2008-0052-1 kernel
confirm
debian DSA-1494
exploit-db 5092
fedora
  • FEDORA-2008-1422
  • FEDORA-2008-1423
  • FEDORA-2008-1433
  • FEDORA-2008-1629
mandriva
  • MDVSA-2008:043
  • MDVSA-2008:044
mlist [linux-kernel] 20080210 Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit
sectrack 1019393
secunia
  • 28835
  • 28858
  • 28875
  • 28889
  • 28896
  • 28912
  • 28925
  • 28933
  • 28937
  • 29245
  • 30818
suse
  • SUSE-SA:2008:007
  • SUSE-SA:2008:013
  • SUSE-SA:2008:030
ubuntu USN-577-1
vupen ADV-2008-0487
statements via4
contributor Mark J Cox
lastmodified 2008-02-13
organization Red Hat
statement This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4. Updated kernel packages are available to correct this issue for Red Hat Enterprise Linux 5: https://rhn.redhat.com/errata/RHSA-2008-0129.html
Last major update 19-03-2012 - 00:00
Published 12-02-2008 - 16:00
Last modified 30-10-2018 - 12:25
Back to Top