{"vuid":"VU#790507","idnumber":"790507","name":"Oracle Solaris vulnerable to arbitrary code execution via /proc/self","keywords":[""],"overview":"Oracle Solaris 11 and Solaris 10 are vulnerable to arbitrary code execution if an attacker has read/write access to /proc/self in the process file system.","clean_desc":"The process file system(/proc)in Oracle Solaris 11 and Solaris 10 provides a self/alias that refers to the current executing process's PID subdirectory with state information about the process. Protection mechanisms for/proc in Solaris 11/10 did not properly restrict the current(self)process from modifying itself via/proc. For services strictly providing file IO this lack of restriction allows an attacker to modify the process providing the file IO and execute arbitrary code.","impact":"An authenticated attacker with read and write access to the /proc/self directory via a vulnerable service providing file IO, may be able to gain arbitrary code execution on a target host.","resolution":"Apply an update\nOracle has released updates for Solaris 11 and Solaris 10 to address the vulnerability.","workarounds":"Restrict access to /proc\nIn general any service providing file IO remotely should have its access to /proc restricted. This can be achieved by correctly chrooting the shared environment.","sysaffected":"","thanks":"Thanks to the reporter who wishes to remain anonymous.","author":"This document was written by Trent Novelly.","public":["h","t","t","p","s",":","/","/","d","o","c","s",".","o","r","a","c","l","e",".","c","o","m","/","c","d","/","E","1","9","2","5","3","-","0","1","/","8","1","6","-","5","1","7","4","/","p","r","o","c","-","4","/","i","n","d","e","x",".","h","t","m","l"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2018-10-12T18:58:11Z","publicdate":"2019-07-16T00:00:00Z","datefirstpublished":"2019-07-17T10:14:27Z","dateupdated":"2019-07-17T10:14:27Z","revision":18,"vrda_d1_directreport":"1","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"L","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"6.6","cvss_basevector":"AV:L/AC:M/Au:S/C:C/I:C/A:C","cvss_temporalscore":"5.2","cvss_environmentalscore":"3.853205790336","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}