Vulnerability Note VU#648244

Oracle Solaris 10 password hashes leaked through back-out patch files

Original Release date: 05 Apr 2011 | Last revised: 05 Apr 2011


Oracle Solaris 10 back-out patch files (undo.Z) contain password hashes which may be readable by unprivileged users.


The root password hash along with other users' password hashes may be contained in the back-out patch files. In some instances, these files may be readable by unprivileged users. An unprivileged user can extract the password hashes from the file and perform a brute force attack on the password hashes in an attempt to recover the password.


An attacker may be able to obtain the credentials for the root or other user accounts.


Apply an Update

Install patch 119254-80. Patch 119254-80 is also part of the April 1st recommended patch set for Solaris 10.

Restrict Access

System administrators should make sure the permissions for back-out patch files are not world-readable. These can typically be found at /var/sadm/pkg/<pkgname>/save/<patchid>/undo.Z.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Oracle CorporationAffected-24 Jan 2011
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A


  • None


Thanks to Michael Rutkowski of Duer Advanced Technology and Aerospace, Inc (DATA) for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2011-0412
  • Date Public: 05 Apr 2011
  • Date First Published: 05 Apr 2011
  • Date Last Updated: 05 Apr 2011
  • Severity Metric: 0.54
  • Document Revision: 23


If you have feedback, comments, or additional information about this vulnerability, please send us email.