The illumos security team have today published a security advisory concerning CVE-2023-31284, a kernel stack overflow that can be performed by an unprivileged user, either in the global zone or in any non-global zone. A copy of their advisory is below.
ACTION: If you are using any of the supported OmniOS versions,
or the recently retired r42, run pkg update
to upgrade to a version that
includes the fix. Note, that a reboot is required. If you have already upgraded
to r46, then you are all set as it already includes the fix.
The following OmniOS versions include the fix:
- r151046
- r151044y
- r151042az
- r151038cz
If you are running an earlier version, upgrade to a supported version (in stages if necessary) following the upgrade guide.
illumos Security Team advisory
We are reaching out today to inform you about CVE-2023-31284. We have pushed a commit to address this, which you can find at https://github.com/illumos/illumos-gate/commit/676abcb77c26296424298b37b9. While we don’t currently know of anyone exploiting this in the wild, this is a kernel stack overflow that can be performed by an unprivileged user, either in the global zone, or any non-global zone.
The following details provide information about this particular issue:
IMPACT: An unprivileged user in any zone can cause a kernel stack buffer overflow. While stack canaries can capture this and lead to a denial of service, it is possible for a skilled attacker to leverage this for local privilege escalation or execution of arbitrary code (e.g. if combined with another bug such as an information leak).
ACTION: Please be on the look out for patches from your distribution and be ready to update.
MITIGATIONS: Running a kernel built with -fstack-protector
(the illumos
default) can help mitigate this and turn these issues into a denial of service,
but that is not a guarantee. We believe that unprivileged processes which have
called chroot(2) with a new root that does not contain the sdev (/dev)
filesystem most likely cannot trigger the bug, but an exhaustive analysis is
still required.
Please reach out to us if you have any questions, whether on the mailing list, IRC, or otherwise, and we’ll try to help as we can.
We’d like to thank Alex Wilson and the students at the University of Queensland for reporting this issue to us, and to Dan McDonald for his work in fixing it.
The illumos Security Team
Any problems or questions, please get in touch.