Allele Security Alert
Local privilege escalation via xscreensaver
Oracle Solaris 11.x versions before Critical Patch Update (CPU) of October 2019
Oracle Solaris 11 versions with Critical Patch Update (CPU) of October 2019
Proof of concept
There’s a design error vulnerability in xscreensaver, as distributed with Solaris 11.x. This vulnerability allows local attackers to create (or append to) arbitrary files on the system, by abusing the -log command line switch introduced in version 5.06. This flaw can be leveraged to cause a denial of service condition or to escalate privileges to root.
Marco Ivaldi (Media Service)
CVE-2019-3010 – Local privilege escalation on Solaris 11.x via xscreensaver
Oracle Critical Patch Update Advisory – October 2019
Solaris 11.x LPE via xscreensaver
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 17, 2019