CVE-2009-0834
First published: Mon Mar 02 2009(Updated: )
Description of problem: On x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with ljmp, and then use the "syscall" instruction to make a 64-bit system call. A 64-bit process make a 32-bit system call with int $0x80. In both these cases, audit_syscall_entry() will use the wrong system call number table and the wrong system call argument registers. This could be used to circumvent a syscall audit configuration that filters based on the syscall numbers or argument details. References: <a href="http://scary.beasts.org/security/CESA-2009-001.html">http://scary.beasts.org/security/CESA-2009-001.html</a> <a href="http://scary.beasts.org/security/CESA-2009-004.html">http://scary.beasts.org/security/CESA-2009-004.html</a> <a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED ERRATA - CVE-2009-0835 kernel: x86-64: seccomp: 32/64 syscall hole" href="show_bug.cgi?id=487255">https://bugzilla.redhat.com/show_bug.cgi?id=487255</a> <a href="http://lkml.org/lkml/2009/2/27/451">http://lkml.org/lkml/2009/2/27/451</a> summary <a href="http://lkml.org/lkml/2009/2/27/452">http://lkml.org/lkml/2009/2/27/452</a> syscall-audit
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | <=2.6.28.7 | |
| Debian Linux | =4.0 | |
| Debian Linux | =5.0 | |
| Ubuntu | =7.10 | |
| Ubuntu | =8.04 | |
| Ubuntu | =8.10 | |
| Red Hat Enterprise Linux Desktop | =4.0 | |
| Red Hat Enterprise Linux Desktop | =5.0 | |
| Red Hat Enterprise Linux Server EUS | =4.7 | |
| Red Hat Enterprise Linux Server EUS | =5.3 | |
| Red Hat Enterprise Linux Server | =4.0 | |
| Red Hat Enterprise Linux Server | =5.0 | |
| Red Hat Enterprise Linux Server | =5.3 | |
| Red Hat Enterprise Linux Workstation | =4.0 | |
| Red Hat Enterprise Linux Workstation | =5.0 | |
| openSUSE | =10.3 | |
| openSUSE | =11.0 | |
| SUSE Linux Enterprise Desktop | =10-sp2 | |
| SUSE Linux Enterprise Server | =10-sp2 | |
| SUSE Linux Enterprise Software Development Kit | =10-sp2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://scary.beasts.org/security/CESA-2009-001.html
- http://scary.beasts.org/security/CESA-2009-004.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=487255
- http://lkml.org/lkml/2009/2/27/451
- http://lkml.org/lkml/2009/2/27/452
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=333681
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=333681&action=edit
- http://git.kernel.org/linus/ccbe495caa5e604b04d5a31d7459a6f6a76a756c
- https://rhn.redhat.com/errata/RHSA-2009-0451.html
- https://rhn.redhat.com/errata/RHSA-2009-0459.html
- https://rhn.redhat.com/errata/RHSA-2009-0473.html
- https://rhn.redhat.com/errata/RHSA-2010-0079.html
- https://bugzilla.redhat.com/show_bug.cgi?id=487990
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=ccbe495caa5e604b04d5a31d7459a6f6a76a756c
- http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00001.html
- http://marc.info/?l=linux-kernel&m=123579056530191&w=2
- http://marc.info/?l=linux-kernel&m=123579065130246&w=2
- http://marc.info/?l=oss-security&m=123597642832637&w=2
- http://rhn.redhat.com/errata/RHSA-2009-0459.html
- http://rhn.redhat.com/errata/RHSA-2009-0473.html
- http://secunia.com/advisories/34084
- http://secunia.com/advisories/34917
- http://secunia.com/advisories/34962
- http://secunia.com/advisories/34981
- http://secunia.com/advisories/35011
- http://secunia.com/advisories/35015
- http://secunia.com/advisories/35120
- http://secunia.com/advisories/35121
- http://secunia.com/advisories/35185
- http://secunia.com/advisories/35390
- http://secunia.com/advisories/35394
- http://secunia.com/advisories/37471
- http://wiki.rpath.com/Advisories:rPSA-2009-0084
- http://www.debian.org/security/2009/dsa-1787
- http://www.debian.org/security/2009/dsa-1794
- http://www.debian.org/security/2009/dsa-1800
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:118
- http://www.redhat.com/support/errata/RHSA-2009-0451.html
- http://www.securityfocus.com/archive/1/503610/100/0/threaded
- http://www.securityfocus.com/archive/1/507985/100/0/threaded
- http://www.securityfocus.com/bid/33951
- http://www.securitytracker.com/id?1022153
- http://www.ubuntu.com/usn/usn-751-1
- http://www.vmware.com/security/advisories/VMSA-2009-0016.html
- http://www.vupen.com/english/advisories/2009/3316
- https://exchange.xforce.ibmcloud.com/vulnerabilities/49061
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8508
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9600
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ccbe495caa5e604b04d5a31d7459a6f6a76a756c
Frequently Asked Questions
What is the severity of CVE-2009-0834?
CVE-2009-0834 has been categorized as a low-severity vulnerability.
How do I fix CVE-2009-0834?
To fix CVE-2009-0834, update your Linux kernel to a patched version beyond 2.6.28.7.
Which systems are affected by CVE-2009-0834?
CVE-2009-0834 affects various versions of Linux kernels, Debian Linux versions 4.0 and 5.0, as well as specific Ubuntu and Red Hat versions.
What type of attack does CVE-2009-0834 facilitate?
CVE-2009-0834 can potentially allow privilege escalation through improper handling of system calls.
Is there a workaround for CVE-2009-0834?
Currently, the best workaround for CVE-2009-0834 is to apply the recommended patches available for your affected systems.
- collector/redhat-bugzilla
- alias/CVE-2009-0834
- agent/type
- agent/remedy
- agent/last-modified-date
- agent/first-publish-date
- agent/weakness
- agent/severity
- agent/references
- agent/description
- agent/event
- agent/author
- collector/nvd-api
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- collector/nvd-index
- vendor/linux
- canonical/linux kernel
- version/linux kernel/2.6.28.7
- vendor/debian
- canonical/debian linux
- version/debian linux/4.0
- version/debian linux/5.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/7.10
- version/ubuntu/8.04
- version/ubuntu/8.10
- vendor/redhat
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/4.0
- version/red hat enterprise linux desktop/5.0
- canonical/red hat enterprise linux server eus
- version/red hat enterprise linux server eus/4.7
- version/red hat enterprise linux server eus/5.3
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/4.0
- version/red hat enterprise linux server/5.0
- version/red hat enterprise linux server/5.3
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/4.0
- version/red hat enterprise linux workstation/5.0
- vendor/opensuse
- canonical/opensuse
- version/opensuse/10.3
- version/opensuse/11.0
- vendor/suse
- canonical/suse linux enterprise desktop
- version/suse linux enterprise desktop/10-sp2
- canonical/suse linux enterprise server
- version/suse linux enterprise server/10-sp2
- canonical/suse linux enterprise software development kit
- version/suse linux enterprise software development kit/10-sp2