CVE-1999-1122 Detail

UUID: ce3155c2-cd4e-4459-a18f-924900801660

Current Description

Vulnerability in restore in SunOS 4.0.3 and earlier allows local users to gain privileges.

Analysis Description

Vulnerability in restore in SunOS 4.0.3 and earlier allows local users to gain privileges.

No data reported yet

4.6
Base Score
6.4
Impact Score
3.9
Exploitability Score

Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P

The access vector (AV) shows how a vulnerability may be exploited.

  • Local (L): The attacker must either have physical access to the vulnerable system (e.g. firewire attacks) or a local account (e.g. a privilege escalation attack).
  • Adjacent Network (A): The attacker must have access to the broadcast or collision domain of the vulnerable system (e.g. ARP spoofing, Bluetooth attacks).
  • Network (N): The vulnerable interface is working at layer 3 or above of the OSI Network stack. These types of vulnerabilities are often described as remotely exploitable (e.g. a remote buffer overflow in a network service)

The access complexity (AC) metric describes how easy or difficult it is to exploit the discovered vulnerability.

  • High (H): Specialised conditions exist, such as a race condition with a narrow window, or a requirement for social engineering methods that would be readily noticed by knowledgeable people.
  • Medium (M): There are some additional requirements for the attack, such as a limit on the origin of the attack, or a requirement for the vulnerable system to be running with an uncommon, non-default configuration.
  • Low (L): There are no special conditions for exploiting the vulnerability, such as when the system is available to large numbers of users, or the vulnerable configuration is ubiquitous.

The authentication (Au) metric describes the number of times that an attacker must authenticate to a target to exploit it. It does not include (for example) authentication to a network in order to gain access. For locally exploitable vulnerabilities, this value should only be set to Single or Multiple if further authentication is required after initial access.

  • Multiple (M): Exploitation of the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time.
  • Single (S): The attacker must authenticate once in order to exploit the vulnerability.
  • None (N): There is no requirement for the attacker to authenticate.

The confidentiality (C) metric describes the impact on the confidentiality of data processed by the system.

  • None (N): There is no impact on the confidentiality of the system.
  • Partial (P): There is considerable disclosure of information, but the scope of the loss is constrained such that not all of the data is available.
  • Complete (C): There is total information disclosure, providing access to any / all data on the system. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact.

The Integrity (I) metric describes the impact on the integrity of the exploited system.

  • None (N): There is no impact on the integrity of the system.
  • Partial (P): Modification of some data or system files is possible, but the scope of the modification is limited.
  • Complete (C): There is total loss of integrity; the attacker can modify any files or information on the target system.

The availability (A) metric describes the impact on the availability of the target system. Attacks that consume network bandwidth, processor cycles, memory or any other resources affect the availability of a system.

  • None (N): There is no impact on the availability of the system.
  • Partial (P): There is reduced performance or loss of some functionality.
  • Complete (C): There is total loss of availability of the attacked resource.

References to Advisories, Solutions, and Tools

Name Resource Tags URL
CA-1989-02 http://www.cert.org/advisories/CA-1989-02.html
CIAC-08 http://www.ciac.org/ciac/bulletins/ciac-08.shtml
3 http://www.securityfocus.com/bid/3
sun-restore-gain-privileges(6695) https://exchange.xforce.ibmcloud.com/vulnerabilities/6695

Weakness Enumeration

CWE-ID CWE Name CWE Description
No data reported yet

CAPEC

Name ID Description URL
No data reported yet

MITRE ATT&CK

Name ID Description Kill chain phases URL
No data reported yet

Known Affected Software Configurations

Configuration 1
Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Is matched Alert Date Alert UUID Alert Patched Version Range
sun sunos * * * * * * * *

To (including) 4.0.3

sun sunos 4.0 * * * * * * *
sun sunos 4.0.1 * * * * * * *

Relationship graph

This bundle is too large to view on the graph, please export the data and load into a STIX 2.1 compatible product.

Updated History

Date Type
July 26, 1989, 4 a.m. Created At
May 3, 2018, 1:29 a.m. Updated At