CVE-2019-3010
Published: 16 October 2019
Summary
CVE-2019-3010 is a high-severity an unspecified weakness vulnerability in Oracle Solaris. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-3010 is a vulnerability in the XScreenSaver component of Oracle Solaris version 11. It is rated with a CVSS 3.0 base score of 8.8 and described as easily exploitable, allowing impacts to confidentiality, integrity, and availability with a changed scope that can affect additional products beyond Solaris itself.
A low-privileged attacker who already has logon access to the host running Oracle Solaris can leverage the flaw to fully compromise and take over the system. The attack requires no user interaction and occurs locally on the affected infrastructure.
Public references include Oracle's Critical Patch Update for October 2019, which addresses the issue, along with exploit code and technical details published on Packet Storm and Full Disclosure lists in October 2019.
Public exploit material for the vulnerability has been available since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-12649
Vulnerability details
Vulnerability in the Oracle Solaris product of Oracle Systems (component: XScreenSaver). The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While…
more
the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
- CWE(s)
- KEV Date Added
- 25 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly counters the low-privileged local attacker’s ability to escalate and take over Solaris via the XScreenSaver flaw by enforcing only the minimum rights needed for logged-in users.
Requires timely application of the October 2019 Critical Patch Update that removes the XScreenSaver vulnerability before local exploitation can succeed.
Enforces access-control decisions at the OS level so that even an authenticated local user cannot abuse the XScreenSaver component to gain unauthorized system takeover.