Sun Solaris vulnerabilities

CVE-2006-5215 [LOW] CVE-2006-5215: The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 2006 The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060317, and Solaris 8 through 10 before 20061006, allows local users to overwrite arbitrary files, or read another user's Xsession errors file, via a symlink attack on a /tmp/xses-$USER file.

CVE-2006-5075 [HIGH] CVE-2006-5075: The Kernel SSL Proxy service (svc:/network/ssl/proxy) in Sun Solaris 10 before 20060926 allows remot The Kernel SSL Proxy service (svc:/network/ssl/proxy) in Sun Solaris 10 before 20060926 allows remote attackers to cause a denial of service (system crash) via unspecified vectors related to an SSL client.

CVE-2006-5073 [HIGH] CVE-2006-5073: Unspecified vulnerability in Sun Solaris 8, 9 and 10 allows remote attackers to cause a denial of se Unspecified vulnerability in Sun Solaris 8, 9 and 10 allows remote attackers to cause a denial of service (panic) via crafted IPv6 packets, a different vulnerability than CVE-2006-5013.

CVE-2006-5013 [HIGH] CVE-2006-5013: Sun Solaris 10 before patch 118855-16 (20060925), when run on x64 systems using IPv6, allows remote Sun Solaris 10 before patch 118855-16 (20060925), when run on x64 systems using IPv6, allows remote attackers to cause a denial of service (kernel panic) via crafted IPv6 packets.

CVE-2006-5012 [MEDIUM] CVE-2006-5012: Unspecified vulnerability in Sun Solaris 8, 9, and 10 before 20060925 allows local users to cause a Unspecified vulnerability in Sun Solaris 8, 9, and 10 before 20060925 allows local users to cause a denial of service (disable syslog) and prevent security messages from being logged via unspecified vectors.

CVE-2006-4655 [MEDIUM] CVE-2006-4655: Buffer overflow in the Strcmp function in the XKEYBOARD extension in X Window System X11R6.4 and ear Buffer overflow in the Strcmp function in the XKEYBOARD extension in X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment variable value.

CVE-2006-4439 [LOW] CVE-2006-4439: pkgadd in Sun Solaris 10 before 20060825 installs files with insecure file and directory permissions pkgadd in Sun Solaris 10 before 20060825 installs files with insecure file and directory permissions (755 or 777) if the pkgmap file contains a "?" (question mark) in the mode field, which allows local users to modify arbitrary files or directories, a different vulnerability than CVE-2002-1871.

CVE-2006-4319 [HIGH] CVE-2006-4319: Buffer overflow in the format command in Solaris 8, 9, and 10 allows local users with access to form Buffer overflow in the format command in Solaris 8, 9, and 10 allows local users with access to format (such as the "File System Management" RBAC profile) to execute arbitrary code via unknown vectors, a different vulnerability than CVE-2006-4307.

CVE-2006-4307 [HIGH] CVE-2006-4307: Unspecified vulnerability in the format command in Sun Solaris 8 and 9 before 20060821 allows local Unspecified vulnerability in the format command in Sun Solaris 8 and 9 before 20060821 allows local users to modify arbitrary files via unspecified vectors involving profiles that permit running format with elevated privileges, a different issue than CVE-2006-4306 and CVE-2006-4319.

CVE-2006-4306 [HIGH] CVE-2006-4306: Unspecified vulnerability in Sun Solaris 8 and 9 before 20060821 allows local users to execute arbit Unspecified vulnerability in Sun Solaris 8 and 9 before 20060821 allows local users to execute arbitrary commands via unspecified vectors, involving the default Role-Based Access Control (RBAC) settings in the "File System Management" profile.

CVE-2006-4303 [LOW] CVE-2006-4303: Race condition in (1) libnsl and (2) TLI/XTI API routines in Sun Solaris 10 allows remote attackers Race condition in (1) libnsl and (2) TLI/XTI API routines in Sun Solaris 10 allows remote attackers to cause a denial of service ("tight loop" and CPU consumption for listener applications) via unknown vectors related to TCP fusion (do_tcp_fusion).

CVE-2006-4117 [MEDIUM] CVE-2006-4117: The squeue_drain function in Sun Solaris 10, possibly only when run on CMT processors, allows remote The squeue_drain function in Sun Solaris 10, possibly only when run on CMT processors, allows remote attackers to cause a denial of service ("bad trap" and system panic) by opening and closing a large number of TCP connections ("heavy TCP/IP loads"). NOTE: the original report specifies the function name as "drain_squeue," but this is likely incorrect.

CVE-2006-4139 [MEDIUM] CVE-2006-4139: Race condition in Sun Solaris 10 allows attackers to cause a denial of service (system panic) via un Race condition in Sun Solaris 10 allows attackers to cause a denial of service (system panic) via unspecified vectors related to ifconfig and either netstat or SNMP queries.

CVE-2006-3968 [MEDIUM] CVE-2006-3968: The crypto provider in Sun Solaris 10 3/05 HW2 without patch 121236-01, when running on Sun Fire T20 The crypto provider in Sun Solaris 10 3/05 HW2 without patch 121236-01, when running on Sun Fire T2000 platforms, incorrectly verifies a DSA signature, which might prevent applications from detecting that the data has been modified.

CVE-2006-3920 [MEDIUM] CVE-2006-3920: The TCP implementation in Sun Solaris 8, 9, and 10 before 20060726 allows remote attackers to cause The TCP implementation in Sun Solaris 8, 9, and 10 before 20060726 allows remote attackers to cause a denial of service (resource exhaustion) via a TCP packet with an incorrect sequence number, which triggers an ACK storm.

CVE-2006-3824 [MEDIUM] CVE-2006-3824: systeminfo.c for Sun Solaris allows local users to read kernel memory via a 0 variable count argumen systeminfo.c for Sun Solaris allows local users to read kernel memory via a 0 variable count argument to the sysinfo system call, which causes a -1 argument to be used by the copyout function. NOTE: this issue has been referred to as an integer overflow, but it is probably more like a signedness error or integer underflow.

CVE-2006-3825 [LOW] CVE-2006-3825: The IPv4 implementation in Sun Solaris 10 before 20060721 allows local users to select routes that d The IPv4 implementation in Sun Solaris 10 before 20060721 allows local users to select routes that differ from the routing table, possibly facilitating firewall bypass or unauthorized network communication.

CVE-2006-3781 [HIGH] CVE-2006-3781: Unspecified vulnerability in Sun Solaris 10 allows context-dependent attackers to cause a denial of Unspecified vulnerability in Sun Solaris 10 allows context-dependent attackers to cause a denial of service (panic) via unspecified vectors involving the event port API.

CVE-2006-3782 [MEDIUM] CVE-2006-3782: Unspecified vulnerability in the kernel debugger (kmdb) in Sun Solaris 10, when running on x86, allo Unspecified vulnerability in the kernel debugger (kmdb) in Sun Solaris 10, when running on x86, allows local users to cause a denial of service (system hang) via unspecified vectors.

CVE-2006-3783 [MEDIUM] CVE-2006-3783: Sun Solaris 10 allows local users to cause a denial of service (panic) via unspecified vectors invol Sun Solaris 10 allows local users to cause a denial of service (panic) via unspecified vectors involving (1) the /net mount point and (2) the "-hosts" map in a mount point.