In association with heise online

26 June 2008, 09:44

Critical vulnerability in Solaris 10 multicast filter

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The IP kernel module of Solaris 10 can panic when sent a crafted IOCTL request by a local unprivileged user due to a data typing mismatch in ip_multi.c. A user-supplied unsigned integer gets assigned to a signed integer variable, potentially resulting in a negative value. This leads to a check being bypassed and ultimately an out of bounds write that corrupts kernel memory.

Tobias Klein who discovered the vulnerability states that it can be used to deny service or potentially to execute injected code with kernel privilege.

Solaris 10 without patch 137111-01 for SPARC and X86, and OpenSolaris based upon builds snv_13 through snv_91 for SPARC and x86 are affected. Solaris 8 and 9 are not affected. There is no workaround, but Solaris 10 with patch 137111-01 or later and OpenSolaris based upon builds snv_92 or later for both platforms are immune.

See also


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit