from the g0t-0wn3d? dept.
As Paul Starzetz recently noted on Full Disclosure, the vulnerability CVE-2006-2451 / BID 18874 in the Linux Kernel 2.6.13 up to 22.214.171.124 and 126.96.36.199 is not only a Denial of Service vulnerability as described in some advisories, but can also be used to get root access as a normal local user (and via SSH of course also remotely). The vulnerability has been fixed in kernel versions 188.8.131.52 and 184.108.40.206, but an easy to understand exploit has been posted to the security mailing list Bugtraq, so it won't take long until script kiddies will try to use it where ever they can.
So if you run one or more boxes with Linux Kernel 2.6 in your
group or institute which is not managed by us, please upgrade the
kernel as soon as possible to prevent hostile take-overs of these
boxes. Most of the workstations managed by us still run Linux Kernel
2.4 which is not affected and those which run Linux Kernel 2.6 have
been already updated.
Update 20:50h: The guess was right: According to a posting on the Debian News list, the Debian.org computer gluck was compromised using a compromised developer account and CVE-2006-2451. This means that this vulnerability is really being used in the wild to compromise computers.
< | >