Vulnerability Management

Flaws in Joyent SmartOS hypervisor can lead to privilege escalation

Share

The Joyent SmartOS open-source hypervisor contains three vulnerabilities each in its 64- and 32-bit version,all of which can be exploited to achieve privilege escalation. The flaws are found specifically in the product's Hyprlofs filesystem, and are associated with the HYPROLOFS_ADD_ENTRIALS command,  according to a vulnerability report by Cisco's Talos threat intelligence division.

The first of the three bugs (CVE-2016-8733 for 64-bit, CVE-2016-9031 for 32-bit) consists of an integer overflow issue in the input-output control (IOCTL) function, and can be exploited with a crafted input. In addition to privilege escalation, this kind of attack can also result in a kernel panic.

A second (CVE-2016-9032 for 64-bit, CVE-2016-9034 for 32-bit) and third vulnerability (CVE-2016-9033 for 64-bit, CVE-2016-9035 for 32-bit) are both the result of a buffer overflow in the IOCTL function. The flaws are exploited when an attacker crafts a specific input that causes a buffer overflow in the NM variable or PATH variable, respectively, resulting in an out-of-bounds memory access that enables privilege escalation.

Discovery of the vulnerability is credited to Talos researcher Tyler Bohan.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.