The illumos security team have today published a security advisory concerning
CVE-2023-31284, a kernel stack overflow that can be performed by an unprivileged user, either in the global zone or in any non-global zone. A copy of their advisory is below.
ACTION: If you are using any of the supported OmniOS versions, see below, (or the recently retired r42), run pkg update to upgrade to a version that includes the fix. Note, that a reboot is required. If you have already upgraded to r46, then you are all set as it already includes the fix.
The following OmniOS versions include the fix:
illumos based server OS with ZFS, DTrace, Crossbow, SMF, Bhyve, KVM and Linux zone support
omnios.org
- r151046
- r151044y
- r151042az
- r151038cz
If you are running an earlier version, upgrade to a supported version (in stages if necessary) following
Upgrading OmniOS.
##########################
--- illumos Security Team advisory ---
We are reaching out today to inform you about CVE-2023-31284. We have pushed a commit to address this, which you can find at
15586 ddi_parse needs len · illumos/illumos-gate@676abcb. While we don't currently know of anyone exploiting this in the wild, this is a kernel stack overflow that can be performed by an unprivileged user, either in the global zone, or any non-global zone.
The following details provide information about this particular issue:
IMPACT: An unprivileged user in any zone can cause a kernel stack buffer overflow. While stack canaries can capture this and lead to a denial of service, it is possible for a skilled attacker to leverage this for local privilege escalation or execution of arbitrary code (e.g. if combined with another bug such as an information leak).
ACTION: Please be on the look out for patches from your distribution and be ready to update.
MITIGATIONS: Running a kernel built with -fstack-protector (the illumos default) can help mitigate this and turn these issues into a denial of service, but that is not a guarantee. We believe that unprivileged processes which have called chroot(2) with a new root that does not contain the sdev (/dev) filesystem most likely cannot trigger the bug, but an exhaustive analysis is still required.
Please reach out to us if you have any questions, whether on the mailing list, IRC, or otherwise, and we'll try to help as we can.
We'd like to thank Alex Wilson and the students at the University of Queensland for reporting this issue to us, and to Dan McDonald for his work in fixing it.
The illumos Security Team
github.com
