Uočene su višestruke ranjivosti vezane uz operacijske sustave Sun Solaris 8, 9 i 10. Pojedini su propusti vezani uz pogreške u jezgri operacijskog sustava, CDE Calendar Manager Service i Fault Manager pozadinskim procesima, FTP poslužitelju, libc biblioteci te XScreenSaver komponenti. Lokalni ih napadač može iskoristiti za povećanje ovlasti, zaobilaženje postavljenih sigurnosnih ograničenja, otkrivanje osjetljivih podataka i DoS napad. Budući da je odgovarajuća nadogradnja dostupna, svim se korisnicima preporuča njezina primjena.
Oracle Solaris Multiple Vulnerabilities
Secunia Advisory SA42984
Get alerted and manage the vulnerability life cycle
Free Trial
Release Date 2011-01-19
Popularity 73 views
Comments 0 comments
Criticality level Moderately criticalModerately critical
Impact Exposure of system information
Privilege escalation
DoS
System access
Where From local network
Authentication level Available in Customer Area
Report reliability Available in Customer Area
Solution Status Vendor Patch
Systems affected Available in Customer Area
Approve distribution Available in Customer Area
Operating System
Sun Solaris 10
Sun Solaris 8
Sun Solaris 9
Secunia CVSS Score Available in Customer Area
CVE Reference(s) CVE-2010-2632 CVSS available in Customer Area
CVE-2010-3586 CVSS available in Customer Area
CVE-2010-4415 CVSS available in Customer Area
CVE-2010-4433 CVSS available in Customer Area
CVE-2010-4435 CVSS available in Customer Area
CVE-2010-4440 CVSS available in Customer Area
CVE-2010-4442 CVSS available in Customer Area
CVE-2010-4443 CVSS available in Customer Area
CVE-2010-4460 CVSS available in Customer Area
Description
Multiple vulnerabilities have been reported in Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and gain escalated privileges and by malicious people to disclose system information, cause a DoS (Denial of Service), and compromise a vulnerable system.
1) An unspecified error in the CDE Calendar Manager Service daemon can be exploited to potentially execute arbitrary code via specially crafted RPC packets.
2) An unspecified error in the FTP server can be exploited to cause a DoS.
3) An unspecified error in a Ethernet driver can be exploited to disclose certain system information.
4) An unspecified error in the kernel NFS component can be exploited to cause a DoS.
5) An unspecified error in the kernel can be exploited by local users to cause a DoS.
6) A second unspecified error in the kernel can be exploited by local users to cause a DoS.
7) An unspecified error in the Standard C Library (libc) can be exploited by local users to gain escalated privileges.
8) An unspecified error in the Fault Manager daemon can be exploited by local users to gain escalated privileges.
9) An unspecified error in the XScreenSaver component can be exploited by local users to gain escalated privileges.
Solution
Apply patches (please see the vendor's advisory for details).
Provided and/or discovered by
It is currently unclear who reported these vulnerabilities as the Oracle Critical Patch Update for January 2011 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.
Original Advisory
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
Other references
Further details available in Customer Area
Deep Links
Links available in Customer Area
Posljednje sigurnosne preporuke