TPS-2017-001 /proc Filesystem Permission Vulnerability

January 05, 2017

Overview

This notice is to advise the user groups identified below of a recently-discovered, /proc filesystem permission vulnerability. The issue was reported directly to Joyent Engineering by a security researcher.

Description

This high-severity vulnerability exists in the core SmartOS platform. The exploit allows non-root users to create objects in the /proc directory within the zone. The validations for filesystem permissions have been hardened to prevent such unauthorized actions.

The following user groups are affected

Joyent customers using on-premises Triton software
All users of SmartOS, including Triton public cloud customers (the fix has already been applied across the entire public cloud)
Users of Open Source Triton

Actions Taken by Joyent

Joyent has created a new Platform Image (PI) containing fixes that address these vulnerabilities. This PI has been applied across the Triton public cloud.

Actions You Need to Take

Triton Software and SmartOS Users

You are advised to apply this fix by updating your current Platform Image (PI) to the next available release (20170105-20170105T023718Z or later) using the following command on the support channel:

sdcadm platform install --latest

Triton Public Cloud Users

All necessary fixes have been applied to the Triton Cloud (public cloud). No user action is required.

Open Source Triton Users

Upgrade to this Triton Platform Image (PI) release: 20170105-20170105T023718Z or later.
Direct any further questions to: The SmartOS Community Mailing Lists and IRC

Support

If you are a Joyent customer and have any further questions or concerns after reading the information and instructions above, please contact Joyent Support.