The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Solaris: denial of service of Sun Cluster

Synthesis of the vulnerability 

A local attacker can stop sibling Sun Cluster nodes.
Impacted products: Solaris, Trusted Solaris.
Severity of this bulletin: 1/4.
Creation date: 25/04/2007.
Références of this threat: 102874, 6497075, BID-23638, CVE-2007-2267, VIGILANCE-VUL-6765.

Description of the vulnerability 

The USCSICMD ioctl permits to send low level SCSI commands to devices. Only root can use this ioctl.

An attacker located in a Sun Cluster node can use this ioctl in order to corrupt memory of other nodes, which stops them.

A privileged attacker can therefore generate a denial of service.

This vulnerability can for example be exploited with EMC Symcli backup version 6.2.1.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness note impacts software or systems such as Solaris, Trusted Solaris.

Our Vigil@nce team determined that the severity of this security bulletin is low.

The trust level is of type confirmed by the editor, with an origin of privileged shell.

An attacker with a expert ability can exploit this weakness announce.

Solutions for this threat 

Solaris: patch for Sun Cluster.
A patch is available:
  SPARC Platform
    * Sun Cluster 3.1 (Solaris 8) : patch 117950-29
    * Sun Cluster 3.1 (Solaris 9) : patch 117949-29
    * Sun Cluster 3.1 (Solaris 10) : patch 120500-14
    * Sun Cluster 3.2 (Solaris 9) : patch 126105-01
    * Sun Cluster 3.2 (Solaris 10) : patch 126106-01
  x86 Platform
    * Sun Cluster 3.1 (Solaris 9) : patch 117909-29
    * Sun Cluster 3.1 (Solaris 10) : patch 120501-14
    * Sun Cluster 3.2 (Solaris 10) : patch 126107-01
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a software vulnerability announce. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.