Vigil@nce: Solaris, denial of service of Crypto Driver
March 2009 by Vigil@nce
A local attacker can use an ioctl in order to stop the system via
a vulnerability of Crypto Driver.
– Gravity: 1/4
– Consequences: denial of service of computer
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 05/03/2009
IMPACTED PRODUCTS
– OpenSolaris
– Sun Solaris
DESCRIPTION OF THE VULNERABILITY
The uts/common/crypto/io/crypto.c file implements the
cryptographic driver of Solaris.
A local user can use an ioctl to obtain information on a
cryptographic session. The object_get_attribute_value() function
fills in these information.
However, this function does not initialize the u_attrs pointer to
NULL. If the session is not valid, an error occurs and then this
pointer is freed because it is not NULL, which panics the kernel.
A local attacker can therefore use an ioctl in order to stop the
system via a vulnerability of Crypto Driver.
CHARACTERISTICS
– Identifiers: 254088, 6767649, VIGILANCE-VUL-8513
– Url: http://vigilance.fr/vulnerability/Solaris-denial-of-service-of-Crypto-Driver-8513