Source: cve@mitre.org
In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local user with physical access to obtain root access.
Solaris 2.2 and 2.3 systems are vulnerable to a critical local privilege escalation. A failure during the fsck (file system check) process on boot allows a physically present attacker to gain root access, completely compromising the system. This vulnerability poses a significant risk to data confidentiality, integrity, and availability.
Step 1: Physical Access: The attacker gains physical access to the Solaris 2.2 or 2.3 system, typically by being in the same physical location as the machine.
Step 2: Triggering fsck Failure: The attacker manipulates the system to cause fsck to fail during the boot process. This can be achieved by corrupting the file system, interrupting the boot process, or other methods that cause the file system check to fail.
Step 3: Entering Maintenance Mode: The system enters single-user mode or a maintenance shell due to the fsck failure.
Step 4: Privilege Escalation: The attacker exploits the lack of security checks in the maintenance mode to gain root access. This might involve modifying system files, such as /etc/passwd, or executing commands with elevated privileges.
Step 5: Root Access Achieved: The attacker successfully obtains root access, gaining complete control over the system.
The vulnerability stems from a flaw in the Solaris boot process and the handling of file system checks. When fsck encounters errors during startup, it often drops the system into single-user mode or a maintenance shell. In this state, the system may not properly enforce access controls, or may allow the attacker to modify critical system files, such as the /etc/passwd file, to gain root privileges. The root cause is the lack of robust security checks and privilege separation during the critical boot-up phase when fsck is running. Specifically, the system fails to properly validate the user's actions or the integrity of the file system before granting elevated privileges in the event of a fsck failure. This allows an attacker with physical access to manipulate the boot process and gain unauthorized access.
Due to the age of the vulnerability and the affected systems, it is unlikely to be targeted by sophisticated APTs. However, any attacker with the knowledge and physical access could exploit it. This vulnerability is not listed on the CISA KEV.
Review system logs for fsck failures during boot. Specifically, look for error messages related to file system corruption or inconsistencies.
Monitor for unauthorized modifications to critical system files, such as /etc/passwd, /etc/shadow, and /etc/group.
Inspect the system's boot configuration files for any suspicious modifications or attempts to bypass security measures.
Use file integrity monitoring tools to detect changes to system binaries and configuration files.
Analyze system audit logs for unusual activity during the boot process or in single-user mode.
Upgrade to a supported version of Solaris or a modern operating system. This is the most effective mitigation.
Implement strong physical security measures to prevent unauthorized access to the system.
Regularly back up critical system files and configurations.
Review and harden the system's boot configuration to prevent unauthorized modifications.
Implement file integrity monitoring to detect unauthorized changes to system files.
Ensure that the system's fsck process is configured to run correctly and that any errors are properly handled.
Limit physical access to the server room or data center.