CVE-2020-2656 – Low impact information disclosure via Solaris xlock

A low impact information disclosure vulnerability in the setuid root xlock binary distributed with Solaris may allow local users to read partial contents of sensitive files. Due to the fact that target files must be in a very specific format, exploitation of this flaw to escalate privileges in a realistic scenario is unlikely.

This bug was confirmed on the following platforms:

  • Oracle Solaris 11.x (confirmed on 11.4 X86)
  • Oracle Solaris 10 (confirmed on 10 1/13 X86)
  • OpenIndiana Hipster 2019.10 and earlier

Other Oracle Solaris versions (including those that run on the SPARC architecture) are also likely affected.

Oracle has assigned the tracking# S1212411 and has released a fix for all affected and supported versions of Solaris in their Critical Patch Update (CPU) of January 2020. Oracle’s patch is available in the solaris-userland open source repository on GitHub (see commit “30352568 problem in X11/XCLIENTS“). OpenIndiana’s patch is available in the oi-userland repository on GitHub (see commit “xlock: Sync with solaris-userland (security) #5421“).

https://github.com/0xdea/advisories/blob/master/2020-01-solaris-xlock.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2656