Sun Solaris 7.0/8.0/9.0/10.0 on x86 Hyper-Threading information disclosure
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.8 | $0-$5k | 0.00 |
A vulnerability classified as critical has been found in Sun Solaris 7.0/8.0/9.0/10.0 on x86 (Operating System). This affects some unknown processing of the component Hyper-Threading Handler. The manipulation with an unknown input leads to a information disclosure vulnerability. CWE is classifying the issue as CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:
Hyper-Threading technology, as used in FreeBSD and other operating systems that are run on Intel Pentium and other processors, allows local users to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys, via a timing attack on memory cache misses.
The bug was discovered 03/04/2005. The weakness was shared 06/02/2005 by Colin Percival (Website). It is possible to read the advisory at sunsolve.sun.com. This vulnerability is uniquely identified as CVE-2005-0109 since 01/18/2005. Access to the local network is required for this attack to succeed. No form of authentication is needed for exploitation. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1592 according to MITRE ATT&CK.
It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 1 days. During that time the estimated underground price was around $5k-$25k. The vulnerability scanner Nessus provides a plugin with the ID 20522 (Ubuntu 4.10 / 5.04 : linux-source-2.6.8.1, linux-source-2.6.10 vulnerabilities (USN-131-1)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Ubuntu Local Security Checks and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 117897 (CentOS Security Update for OpenSSL (CESA-2005:476)).
Applying a patch is able to eliminate this problem. The bugfix is ready for download at sun.com. A possible mitigation has been published before and not just after the disclosure of the vulnerability. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 3342.
The vulnerability is also documented in the databases at X-Force (19971) and Tenable (20522). The entries 950, 1477 and 24996 are related to this item.
Product
Type
Vendor
Name
Version
License
Support
- end of life
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.2VulDB Meta Temp Score: 7.0
VulDB Base Score: 8.8
VulDB Temp Score: 8.3
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 5.6
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Information disclosureCWE: CWE-200 / CWE-284 / CWE-266
ATT&CK: T1592
Local: No
Remote: Partially
Availability: 🔍
Status: Proof-of-Concept
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Nessus ID: 20522
Nessus Name: Ubuntu 4.10 / 5.04 : linux-source-2.6.8.1, linux-source-2.6.10 vulnerabilities (USN-131-1)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Nessus Port: 🔍
OpenVAS ID: 52691
OpenVAS Name: FreeBSD Security Advisory (FreeBSD-SA-05:09.htt.asc)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: DisableStatus: 🔍
0-Day Time: 🔍
Patch: sun.com
TippingPoint: 🔍
Timeline
01/18/2005 🔍03/04/2005 🔍
03/04/2005 🔍
03/04/2005 🔍
03/05/2005 🔍
05/13/2005 🔍
05/23/2005 🔍
06/02/2005 🔍
06/05/2005 🔍
06/14/2005 🔍
01/15/2006 🔍
03/11/2021 🔍
Sources
Vendor: oracle.comAdvisory: sunsolve.sun.com⛔
Researcher: Colin Percival
Status: Confirmed
CVE: CVE-2005-0109 (🔍)
OVAL: 🔍
X-Force: 19971
SecurityTracker: 1013967
Vulnerability Center: 8221 - Multiple Vendors Allow Information Disclosure via Hyper-Threading Processors, Low
SecurityFocus: 12724 - Multiple Vendor Hyper-Threading Technology Information Disclosure Vulnerability
Secunia: 15559 - Sun Solaris Hyper-Threading Support Information Disclosure, Less Critical
OSVDB: 16440 - Hyper-Threading SMP information disclosure
Vupen: ADV-2005-0540
See also: 🔍
Entry
Created: 06/14/2005 11:28Updated: 03/11/2021 13:49
Changes: 06/14/2005 11:28 (84), 07/03/2019 11:22 (16), 03/11/2021 13:49 (12)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.