Overview
Oracle Solaris 11 and Solaris 10 are vulnerable to arbitrary code execution if an attacker has read/write access to /proc/self in the process file system.
Description
The process file system (/proc) in Oracle Solaris 11 and Solaris 10 provides a self/ alias that refers to the current executing process's PID subdirectory with state information about the process. Protection mechanisms for /proc in Solaris 11/10 did not properly restrict the current (self) process from modifying itself via /proc. For services strictly providing file IO this lack of restriction allows an attacker to modify the process providing the file IO and execute arbitrary code. |
Impact
An authenticated attacker with read and write access to the /proc/self directory via a vulnerable service providing file IO, may be able to gain arbitrary code execution on a target host. |
Solution
Apply an update Oracle has released updates for Solaris 11 and Solaris 10 to address the vulnerability. |
Restrict access to /proc |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 6.6 | AV:L/AC:M/Au:S/C:C/I:C/A:C |
| Temporal | 5.2 | E:POC/RL:OF/RC:C |
| Environmental | 3.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to the reporter who wishes to remain anonymous.
This document was written by Trent Novelly.
Other Information
| CVE IDs: | None |
| Date Public: | 2019-07-16 |
| Date First Published: | 2019-07-17 |
| Date Last Updated: | 2019-07-17 10:14 UTC |
| Document Revision: | 18 |