Oracle Solaris Multiple Vulnerabilities

by Carol~ Moderator - 1/16/13 11:49 AM

In Reply to: VULNERABILITIES / FIXES - January 16, 2013 by Carol~ Moderator

Release Date : 2013-01-16

Criticality level : Less critical
Impact : Manipulation of data
Exposure of sensitive information
Privilege escalation
DoS
Where: Local system
Solution Status : Vendor Patch

Operating System: Oracle Solaris 11.x
Sun Solaris 10.x
Sun Solaris 9.x

Description:
Multiple vulnerabilities have been reported in Oracle Solaris, which can be exploited by malicious, local users to disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and gain escalated privileges.

1) An error within the filesystem/cachefs subcomponent can be exploited to gain escalated privileges.

2) An error within the Utility/Umount subcomponent can be exploited to gain escalated privileges.

Vulnerabilities #1 and #2 are reported in Oracle Solaris 9 and 10.

3) An error within the Postinstall script for the Bind package can be exploited to gain escalated privileges.

4) An error within the Kernel/DTrace Framework subcomponent can be exploited to cause a DoS.

This vulnerability is reported in Oracle Solaris 10 and 11.

5) An error within the Install/smpatch subcomponent can be exploited to read, update, insert, or delete certain Solaris accessible data.

Vulnerabilities #3 and #5 are reported in Oracle Solaris 10.

6) An error within the Utility/ksh93 subcomponent can be exploited to update, insert, or delete certain Solaris accessible data and cause a DoS.

7) An error within the kernel can be exploited to cause a crash.

Vulnerabilities #6 and #7 are reported in Oracle Solaris 11.

Solution:
Apply patches (please see the vendor's advisory for details)

Provided and/or discovered by:
It is currently unclear who reported the vulnerabilities as the Oracle Critical Patch Update for January 2013 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html#AppendixSUNS

http://secunia.com/advisories/51892/