7.5 - CVE-2006-6304

Executive Summary

Informations
Name	CVE-2006-6304	First vendor Publication	2006-12-14
Vendor	Cve	Last vendor Modification	2024-11-21

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	7.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

The do_coredump function in fs/exec.c in the Linux kernel 2.6.19 sets the flag variable to O_EXCL but does not use it, which allows context-dependent attackers to modify arbitrary files via a rewrite attack during a core dump.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6304

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-399	Resource Management Errors

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10797

Oval ID:	oval:org.mitre.oval:def:10797
Title:	The do_coredump function in fs/exec.c in the Linux kernel 2.6.19 sets the flag variable to O_EXCL but does not use it, which allows context-dependent attackers to modify arbitrary files via a rewrite attack during a core dump.
Description:	The do_coredump function in fs/exec.c in the Linux kernel 2.6.19 sets the flag variable to O_EXCL but does not use it, which allows context-dependent attackers to modify arbitrary files via a rewrite attack during a core dump.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2006-6304	Version:	5
Platform(s):	Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5	Product(s):
Definition Synopsis:
RHEL5, CentOS5 or Oracle Linux 5 The operating system installed on the system is Red Hat Enterprise Linux 5 AND CentOS Linux 5.x AND Oracle Linux 5.x AND Configuration section kernel-kdump is earlier than 0:2.6.18-164.11.1.el5 AND kernel-debug is earlier than 0:2.6.18-164.11.1.el5 AND kernel-xen is earlier than 0:2.6.18-164.11.1.el5 AND kernel-headers is earlier than 0:2.6.18-164.11.1.el5 AND kernel-kdump-devel is earlier than 0:2.6.18-164.11.1.el5 AND kernel-xen-devel is earlier than 0:2.6.18-164.11.1.el5 AND kernel is earlier than 0:2.6.18-164.11.1.el5 AND kernel-PAE-devel is earlier than 0:2.6.18-164.11.1.el5 AND kernel-devel is earlier than 0:2.6.18-164.11.1.el5 AND kernel-PAE is earlier than 0:2.6.18-164.11.1.el5 AND kernel-debug-devel is earlier than 0:2.6.18-164.11.1.el5 AND kernel-doc is earlier than 0:2.6.18-164.11.1.el5

Definition Id: oval:org.mitre.oval:def:27615

Oval ID:	oval:org.mitre.oval:def:27615
Title:	DEPRECATED: ELSA-2010-0046 -- kernel security and bug fix update (important)
Description:	[2.6.18-164.11.1.0.1.el5] - [xen] check to see if hypervisor supports memory reservation change (Chuck Anderson) [orabug 7556514] - Add entropy support to igb ( John Sobecki) [orabug 7607479] - [nfs] convert ENETUNREACH to ENOTCONN [orabug 7689332] - [NET] Add xen pv/bonding netconsole support (Tina yang) [orabug 6993043] [bz 7258] - [MM] shrink zone patch (John Sobecki,Chris Mason) [orabug 6086839] - fix aacraid not to reset during kexec (Joe Jin) [orabug 8516042] - [nfsd] fix failure of file creation from hpux client (Wen gang Wang) [orabug 7579314] - FP register state is corrupted during the handling a SIGSEGV (Chuck Anderson) [orabug 7708133] [2.6.18-164.11.1.el5] - [firewire] ohci: handle receive packets with zero data (Jay Fenlason) [547241 547242] {CVE-2009-4138} - [x86] sanity check for AMD northbridges (Andrew Jones) [549905 547518] - [x86_64] disable vsyscall in kvm guests (Glauber Costa) [550968 542612] - [fs] ext3: replace lock_super with explicit resize lock (Eric Sandeen) [549908 525100] - [fs] respect flag in do_coredump (Danny Feng) [544188 544189] {CVE-2009-4036} - [gfs2] make O_APPEND behave as expected (Steven Whitehouse) [547521 544342] - [fs] hfs: fix a potential buffer overflow (Amerigo Wang) [540740 540741] {CVE-2009-4020} - [fuse] prevent fuse_put_request on invalid pointer (Danny Feng) [538736 538737] {CVE-2009-4021} - [mm] call vfs_check_frozen after unlocking the spinlock (Amerigo Wang) [548370 541956] - [infiniband] init neigh->dgid.raw on bonding events (Doug Ledford) [543448 538067] - [scsi] gdth: prevent negative offsets in ioctl (Amerigo Wang) [539420 539421] {CVE-2009-3080} - [fs] gfs2: fix glock ref count issues (Steven Whitehouse) [544978 539240] - [net] call cond_resched in rt_run_flush (Amerigo Wang) [547530 517588] - [scsi] megaraid: fix sas permissions in sysfs (Casey Dahlin) [537312 537313] {CVE-2009-3889 CVE-2009-3939} - [ia64] kdump: restore registers in the stack on init (Takao Indoh ) [542582 515753] - [x86] kvm: don't ask HV for tsc khz if not using kvmclock (Glauber Costa ) [537027 531268] - [net] sched: fix panic in bnx2_poll_work (John Feeney ) [539686 526481] - [x86_64] fix 32-bit process register leak (Amerigo Wang ) [526797 526798] - [cpufreq] add option to avoid smi while calibrating (Matthew Garrett ) [537343 513649] - [kvm] use upstream kvm_get_tsc_khz (Glauber Costa ) [540896 531025] - [net] fix unbalance rtnl locking in rt_secret_reschedule (Neil Horman ) [549907 510067] - [net] r8169: imporved rx length check errors (Neil Horman ) [552913 552438] - [scsi] lpfc: fix FC ports offlined during target controller faults (Rob Evers ) [549906 516541] - [net] emergency route cache flushing fixes (Thomas Graf ) [545662 545663] {CVE-2009-4272} - [fs] fasync: split 'fasync_helper()' into separate add/remove functions (Danny Feng ) [548656 548657] {CVE-2009-4141} - [scsi] qla2xxx: NPIV vport management pseudofiles are world writable (Tom Coughlan ) [537317 537318] {CVE-2009-3556}
Family:	unix	Class:	patch
Reference(s):	ELSA-2010-0046 CVE-2009-3889 CVE-2009-3939 CVE-2009-4020 CVE-2009-4021 CVE-2009-4138 CVE-2009-4141 CVE-2009-4272 CVE-2009-2910 CVE-2009-3080 CVE-2009-3556 CVE-2006-6304	Version:	4
Platform(s):	Oracle Linux 5	Product(s):	kernel
Definition Synopsis:
Oracle Linux 5.x Packages match section kernel is earlier than 0:2.6.18-164.11.1.0.1.el5 AND ocfs2 is earlier than 0:2.6.18-164.11.1.0.1.el5-1.4.4-1.el5 AND oracleasm is earlier than 0:2.6.18-164.11.1.0.1.el5-2.0.5-1.el5 AND kernel-PAE is earlier than 0:2.6.18-164.11.1.0.1.el5 AND kernel-PAE-devel is earlier than 0:2.6.18-164.11.1.0.1.el5 AND kernel-debug is earlier than 0:2.6.18-164.11.1.0.1.el5 AND kernel-debug-devel is earlier than 0:2.6.18-164.11.1.0.1.el5 AND kernel-devel is earlier than 0:2.6.18-164.11.1.0.1.el5 AND kernel-doc is earlier than 0:2.6.18-164.11.1.0.1.el5 AND kernel-headers is earlier than 0:2.6.18-164.11.1.0.1.el5 AND kernel-xen is earlier than 0:2.6.18-164.11.1.0.1.el5 AND kernel-xen-devel is earlier than 0:2.6.18-164.11.1.0.1.el5 AND ocfs2 is earlier than 0:2.6.18-164.11.1.0.1.el5PAE-1.4.4-1.el5 AND ocfs2 is earlier than 0:2.6.18-164.11.1.0.1.el5debug-1.4.4-1.el5 AND ocfs2 is earlier than 0:2.6.18-164.11.1.0.1.el5xen-1.4.4-1.el5 AND oracleasm is earlier than 0:2.6.18-164.11.1.0.1.el5PAE-2.0.5-1.el5 AND oracleasm is earlier than 0:2.6.18-164.11.1.0.1.el5debug-2.0.5-1.el5 AND oracleasm is earlier than 0:2.6.18-164.11.1.0.1.el5xen-2.0.5-1.el5

Definition Id: oval:org.mitre.oval:def:7446

Oval ID:	oval:org.mitre.oval:def:7446
Title:	Linux Kernel Do_Coredump Security Bypass Vulnerability
Description:	The do_coredump function in fs/exec.c in the Linux kernel 2.6.19 sets the flag variable to O_EXCL but does not use it, which allows context-dependent attackers to modify arbitrary files via a rewrite attack during a core dump.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2006-6304	Version:	5
Platform(s):	VMWare ESX Server 4.0	Product(s):
Definition Synopsis:
VMware ESX Server 4.0 is installed AND Patch ESX400-201005401-SG is not installed

CPE : Common Platform Enumeration

Type	Description	Count
Os	Linux Linux Kernel cpe:2.3:o:linux:linux_kernel:2.6.19:-::::::	1

OpenVAS Exploits

Date	Description
2012-04-16	Name : VMSA-2010-0009: ESXi utilities and ESX Service Console third party updates File : nvt/gb_VMSA-2010-0009.nasl
2011-08-09	Name : CentOS Update for kernel CESA-2010:0046 centos5 i386 File : nvt/gb_CESA-2010_0046_kernel_centos5_i386.nasl
2010-01-20	Name : RedHat Update for kernel RHSA-2010:0046-01 File : nvt/gb_RHSA-2010_0046-01_kernel.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
31466	Linux Kernel fs/exec.c do_coredump() Function File Overwrite

Information Assurance Vulnerability Management (IAVM)

Date	Description
2010-01-28	IAVM : 2010-A-0015 - Multiple Vulnerabilities in Red Hat Linux Kernel Severity : Category I - VMSKEY : V0022631

Nessus® Vulnerability Scanner

Date	Description
2016-03-08	Name : The remote VMware ESX / ESXi host is missing a security-related patch. File : vmware_VMSA-2010-0009_remote.nasl - Type : ACT_GATHER_INFO
2014-11-26	Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2013-0039.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0046.nasl - Type : ACT_GATHER_INFO
2010-06-01	Name : The remote VMware ESXi / ESX host is missing one or more security-related pat... File : vmware_VMSA-2010-0009.nasl - Type : ACT_GATHER_INFO
2010-01-21	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0046.nasl - Type : ACT_GATHER_INFO
2010-01-20	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0046.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

http://secunia.com/advisories/23349
http://support.avaya.com/css/P8/documents/100073666
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.19.1
http://www.securityfocus.com/bid/21591
http://www.trustix.org/errata/2006/0074/
http://www.vupen.com/english/advisories/2006/5002
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova...
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova...
https://rhn.redhat.com/errata/RHSA-2010-0046.html
https://rhn.redhat.com/errata/RHSA-2010-0095.html

Source	Url

Alert History

If you want to see full details history, please login or register.

Date	Informations
2024-11-28 23:18:45	Multiple Updates
2024-11-28 12:10:44	Multiple Updates
2021-05-04 12:04:57	Multiple Updates
2021-04-22 01:05:33	Multiple Updates
2020-05-23 00:18:47	Multiple Updates
2017-10-11 09:23:47	Multiple Updates
2016-04-26 15:23:15	Multiple Updates
2016-03-09 13:25:54	Multiple Updates
2014-11-27 13:27:14	Multiple Updates
2014-02-17 10:38:04	Multiple Updates
2013-11-11 12:37:37	Multiple Updates
2013-05-11 11:15:54	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	3
CPE ID(s)	1
Sources(s)	10
osvdb(s)	1
Openvas Exploit(s)	3
IAVM(s)	1
Nessus® Exploit(s)	6

	Related
10	VMSA-2010-0009
7.8	RHSA-2010:0046
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)

7.5 - CVE-2006-6304

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

OpenVAS Exploits

Open Source Vulnerability Database (OSVDB)

Information Assurance Vulnerability Management (IAVM)

Nessus® Vulnerability Scanner

Sources (Detail)

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU