Vigil@nce: Solaris, denial of service of keysock
March 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the keysock kernel module to stop the
system.
Gravity: 1/4
Consequences: denial of service of computer
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 16/03/2009
IMPACTED PRODUCTS
– OpenSolaris
– Sun Solaris
DESCRIPTION OF THE VULNERABILITY
The keysock kernel module manages IPSec keys. A privileged user
can access to keysock via a socket of type PF_KEY.
The keysock_opt_set() function of the uts/common/inet/ip/keysock.c
file changes options of this socket. It uses a "switch" to test
the type of its parameters. However, if the type does not have a
known value, the "errno" variable is not set (because there is no
"default" in the switch) to indicate the error. The kernel then
uses uninitialized structures, which panics it.
A local privileged attacker can therefore use the keysock kernel
module to stop the system.
CHARACTERISTICS
Identifiers: 253568, 6797746, BID-34118, VIGILANCE-VUL-8538
http://vigilance.fr/vulnerability/Solaris-denial-of-service-of-keysock-8538
To change your email preferences (frequency, gravity threshold, format):