CVE-2009-1184

medium

Description

The selinux_ip_postroute_iptables_compat function in security/selinux/hooks.c in the SELinux subsystem in the Linux kernel before 2.6.27.22, and 2.6.28.x before 2.6.28.10, when compat_net is enabled, omits calls to avc_has_perm for the (1) node and (2) port, which allows local users to bypass intended restrictions on network traffic. NOTE: this was incorrectly reported as an issue fixed in 2.6.27.21.

References

https://launchpad.net/bugs/cve/2009-1184

http://www.ubuntu.com/usn/usn-793-1

http://www.openwall.com/lists/oss-security/2009/05/04/1

http://www.mandriva.com/security/advisories?name=MDVSA-2009:135

http://www.mandriva.com/security/advisories?name=MDVSA-2009:119

http://www.mandriva.com/security/advisories?name=MDVSA-2009:118

http://www.debian.org/security/2009/dsa-1800

http://secunia.com/advisories/35656

http://secunia.com/advisories/35121

http://patchwork.ozlabs.org/patch/25238/

http://lwn.net/Articles/331435/

http://lwn.net/Articles/331434/

http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.27.y.git%3Ba=commit%3Bh=910c9e41186762de3717baaf392ab5ff0c454496

Details

Source: Mitre, NVD

Published: 2009-05-05

Updated: 2023-11-07

Risk Information

CVSS v2

Base Score: 4.4

Vector: CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Severity: Medium