Vulnerability Name:

CVE-2009-4141 (CCN-55667)

Assigned:2009-12-16
Published:2009-12-16
Updated:2023-02-13
Summary:Use-after-free vulnerability in the fasync_helper function in fs/fcntl.c in the Linux kernel before 2.6.33-rc4-git1 allows local users to gain privileges via vectors that include enabling O_ASYNC (aka FASYNC or FIOASYNC) on a locked file, and then closing this file.
CVSS v3 Severity:9.3 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.8 Medium (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:TF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.8 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:TF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
7.2 High (REDHAT CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.8 Medium (REDHAT Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:TF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-119
Vulnerability Consequences:Gain Privileges
References:Source: CCN
Type: Full-Disclosure Mailing List, Thu Jan 14 2010
Locked fasync file descriptors can be referenced after free in >= 2.6.28

Source: secalert@redhat.com
Type: Exploit
secalert@redhat.com

Source: MITRE
Type: CNA
CVE-2009-4141

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: Linux Kernel GIT Repository
fasync: split 'fasync_helper()' into separate add/remove functions

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: VMSA-2010-0009
ESXi utilities and ESX Service Console third party updates

Source: secalert@redhat.com
Type: Exploit
secalert@redhat.com

Source: CCN
Type: RHSA-2010-0046
Important: kernel security and bug fix update

Source: CCN
Type: RHSA-2010-0149
Important: kernel security and bug fix update

Source: CCN
Type: RHSA-2010-0161
Important: kernel-rt security and bug fix update

Source: CCN
Type: SA38199
Linux Kernel FASYNC Use-After-Free Privilege Escalation Vulnerability

Source: CCN
Type: SA39920
VMware vMA kernel Multiple Vulnerabilities

Source: CCN
Type: SA39972
VMware ESXi ntp Mode 7 Request Denial of Service

Source: CCN
Type: SA39973
VMware ESX Multiple krb5 Vulnerabilities

Source: CCN
Type: SA39974
VMware ESX GCC libtool Search Path Privilege Escalation Security Issue

Source: CCN
Type: SA39975
VMware ESX gzip unlzw() Integer Underflow Vulnerability

Source: CCN
Type: SA39976
VMware vMA OpenSSL CRYPTO_free_all_ex_data() Memory Leak Vulnerability

Source: CCN
Type: SA39977
VMware vMA Multiple krb5 Vulnerabilities

Source: CCN
Type: SA39979
VMware vMA GCC libtool Search Path Privilege Escalation Security Issue

Source: CCN
Type: SA39980
VMware vMA gzip unlzw() Integer Underflow Vulnerability

Source: CCN
Type: SA39981
VMware vMA sudo Privilege Escalation Security Issues

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: secalert@redhat.com
Type: Patch
secalert@redhat.com

Source: secalert@redhat.com
Type: Patch
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: BID-37806
Linux Kernel 'fasync_helper()' Local Privilege Escalation Vulnerability

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: USN-894-1
Linux kernel vulnerabilities

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: XF
Type: UNKNOWN
kernel-fasync-priv-escalation(55667)

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: SUSE
Type: SUSE-SA:2010:010
Linux kernel security update

Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*
  • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:*
  • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/o:linux:linux_kernel:2.6.3:rc4:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.3:rc3:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.3:rc2:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.3:rc1:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.28:rc1:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.28:rc5:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.28:rc2:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.28:rc3:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.28:rc4:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.28:rc7:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.28:-:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.28.1:*:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.28:git7:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.28.2:*:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.28.3:*:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.28.4:*:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.28:rc6:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.28.5:*:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.28.6:*:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.29:rc2:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.28.7:*:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.28.8:*:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.28.9:*:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.29:rc1:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.29:git1:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.29:-:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.28.10:*:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.29.5:*:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.29.6:*:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.29.4:*:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.29.3:*:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.29.2:*:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.29.1:*:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.29:rc8-kk:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.29:rc2_git7:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.28:rc1:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.29.rc2:*:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.29.rc1:*:*:*:*:*:*:*
  • OR cpe:/o:linux:linux_kernel:2.6.3:-:*:*:*:*:*:*
  • AND
  • cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:client:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:8.04::lts:*:*:*:*:*
  • OR cpe:/a:vmware:esx_server:4.0:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20094141
    V
    CVE-2009-4141
    2015-11-16
    oval:org.mitre.oval:def:13189
    P
    USN-894-1 -- linux, linux-source-2.6.15 vulnerabilities
    2014-06-30
    oval:org.mitre.oval:def:22940
    P
    ELSA-2010:0046: kernel security and bug fix update (Important)
    2014-05-26
    oval:org.mitre.oval:def:21777
    P
    RHSA-2010:0046: kernel security and bug fix update (Important)
    2014-02-24
    oval:org.mitre.oval:def:7054
    V
    Linux Kernel 'fasync_helper()' Local Privilege Escalation Vulnerability
    2014-01-20
    oval:org.mitre.oval:def:9201
    V
    Use-after-free vulnerability in the fasync_helper function in fs/fcntl.c in the Linux kernel before 2.6.33-rc4-git1 allows local users to gain privileges via vectors that include enabling O_ASYNC (aka FASYNC or FIOASYNC) on a locked file, and then closing this file.
    2013-04-29
    oval:com.redhat.rhsa:def:20100046
    P
    RHSA-2010:0046: kernel security and bug fix update (Important)
    2010-01-19
    BACK
    linux linux kernel 2.6.3 rc4
    linux linux kernel 2.6.3 rc3
    linux linux kernel 2.6.3 rc2
    linux linux kernel 2.6.3 rc1
    linux linux kernel 2.6.28 rc1
    linux linux kernel 2.6.28 rc5
    linux linux kernel 2.6.28 rc2
    linux linux kernel 2.6.28 rc3
    linux linux kernel 2.6.28 rc4
    linux linux kernel 2.6.28 rc7
    linux linux kernel 2.6.28
    linux linux kernel 2.6.28.1
    linux linux kernel 2.6.28 git7
    linux linux kernel 2.6.28.2
    linux linux kernel 2.6.28.3
    linux linux kernel 2.6.28.4
    linux linux kernel 2.6.28 rc6
    linux linux kernel 2.6.28.5
    linux linux kernel 2.6.28.6
    linux linux kernel 2.6.29 rc2
    linux linux kernel 2.6.28.7
    linux linux kernel 2.6.28.8
    linux linux kernel 2.6.28.9
    linux linux kernel 2.6.29 rc1
    linux linux kernel 2.6.29 git1
    linux linux kernel 2.6.29
    linux linux kernel 2.6.28.10
    linux linux kernel 2.6.29.5
    linux linux kernel 2.6.29.6
    linux linux kernel 2.6.29.4
    linux linux kernel 2.6.29.3
    linux linux kernel 2.6.29.2
    linux linux kernel 2.6.29.1
    linux linux kernel 2.6.29 rc8-kk
    linux linux kernel 2.6.29 rc2_git7
    linux linux kernel 2.6.28 rc1
    linux linux kernel 2.6.29.rc2
    linux linux kernel 2.6.29.rc1
    linux linux kernel 2.6.3
    canonical ubuntu 6.06
    redhat enterprise linux 5
    redhat enterprise linux 5
    canonical ubuntu 8.04
    vmware esx server 4.0