The Joyent SmartOS open-source hypervisor contains three vulnerabilities each in its 64- and 32-bit version,all of which can be exploited to achieve privilege escalation. The flaws are found specifically in the product's Hyprlofs filesystem, and are associated with the HYPROLOFS_ADD_ENTRIALS command, according to a vulnerability report by Cisco's Talos threat intelligence division.
The first of the three bugs (CVE-2016-8733 for 64-bit, CVE-2016-9031 for 32-bit) consists of an integer overflow issue in the input-output control (IOCTL) function, and can be exploited with a crafted input. In addition to privilege escalation, this kind of attack can also result in a kernel panic.
A second (CVE-2016-9032 for 64-bit, CVE-2016-9034 for 32-bit) and third vulnerability (CVE-2016-9033 for 64-bit, CVE-2016-9035 for 32-bit) are both the result of a buffer overflow in the IOCTL function. The flaws are exploited when an attacker crafts a specific input that causes a buffer overflow in the NM variable or PATH variable, respectively, resulting in an out-of-bounds memory access that enables privilege escalation.
Discovery of the vulnerability is credited to Talos researcher Tyler Bohan.