search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Oracle Solaris vulnerable to arbitrary code execution via /proc/self

Vulnerability Note VU#790507

Original Release Date: 2019-07-17 | Last Revised: 2019-07-17

Overview

Oracle Solaris 11 and Solaris 10 are vulnerable to arbitrary code execution if an attacker has read/write access to /proc/self in the process file system.

Description

The process file system (/proc) in Oracle Solaris 11 and Solaris 10 provides a self/ alias that refers to the current executing process's PID subdirectory with state information about the process. Protection mechanisms for /proc in Solaris 11/10 did not properly restrict the current (self) process from modifying itself via /proc. For services strictly providing file IO this lack of restriction allows an attacker to modify the process providing the file IO and execute arbitrary code.

Impact

An authenticated attacker with read and write access to the /proc/self directory via a vulnerable service providing file IO, may be able to gain arbitrary code execution on a target host.

Solution

Apply an update

Oracle has released updates for Solaris 11 and Solaris 10 to address the vulnerability.

Restrict access to /proc
In general any service providing file IO remotely should have its access to /proc restricted. This can be achieved by correctly chrooting the shared environment.

Vendor Information

No information available at this time.


CVSS Metrics

Group Score Vector
Base 6.6 AV:L/AC:M/Au:S/C:C/I:C/A:C
Temporal 5.2 E:POC/RL:OF/RC:C
Environmental 3.9 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to the reporter who wishes to remain anonymous.

This document was written by Trent Novelly.

Other Information

CVE IDs: None
Date Public: 2019-07-16
Date First Published: 2019-07-17
Date Last Updated: 2019-07-17 10:14 UTC
Document Revision: 17

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.