FireEye Mandiant has released detailed information about the Oracle Solaris vulnerability that has been exploited in attacks by a sophisticated threat actor.
A monitored vulnerability such as CVE-2020-14871 was discovered in June, but the patch for it was not released until October 2020 as part of Oracle’s critical patch update. A threatening actor abusing a tracked bug-like UNC1945 has been actively attacking Solaris systems for at least several years.
A zero-day vulnerability has been discovered in the PAM (Pluggable Authentication Modules) library, which allows user authentication in Solaris applications to be configured and allows administrators to configure authentication settings.
CVE-2020-14871, explains Mandiante, is a stack-based buffer overflow that is contained in the PAM parse_user_name function and is activated when a username longer than PAM_MAX_RESP_SIZE (512 bytes) is passed to the function. One drawback is that an unauthenticated attacker can compromise Oracle Solaris systems.
This vulnerability has probably existed for decades, and one possible reason is that it can only be exploited if the application has not yet limited the usernames to a shorter length before they are passed on to PAM. One of the situations in which network software does not always limit the length of a user name occurs on an SSH server, and that is the operating vector used by the [EVILSUN] tool we found, says Mandiant.
This error allows an attacker to attack the interactive SSH keyboard authentication, which uses SSH to send notifications and responses between the client and the PAM libraries on the server. Two-factor authentication and other forms of authentication are supported.
By manipulating the SSH client settings to force interactive keyboard authentication to ask for a username instead of sending it through the usual channels, an attacker can also gain unlimited access to a PAM parse_user_name function, explain Mandiant security researchers.
The researchers found evidence of the concept of a vulnerability that can cause a bug and cause the SSH server to crash. On vulnerable servers, the SSH client returns the message Authentication Failed, while the vulnerable client repeatedly asks for the username if it becomes too long.
According to Madianta, vulnerable operating systems include some versions of Solaris 9, all versions of Solaris 10, Solaris 11.0, and Illumos (OpenIndiana 2020.04). Oracle has released patches for Solaris 10 and 11, but not for Solaris 9, which is no longer supported.
On non-proprietary systems with Solaris 11.1 and above, the parse_user_name function remains vulnerable, but some changes in the PAM library cause the username to be truncated before being passed to the vulnerable function, preventing SSH exploitation.
If the parse_user_name function were available in a different context, the vulnerability could be exploited, Mandiant said.
For Solaris 9 systems and for Solaris 10 or 11 servers that are not convenient to install patches, the file /etc/ssh/sshd_config can be modified by adding the ChallengeResponseAuthentication no and KbdInteractiveAuthentication no lines and restarting the SSH server as a workaround.
However, this does not solve the vulnerability, and exploitation may still be possible if an intruder somehow accesses the parse_user_name function. It is therefore recommended to install the corrections included in the critical patch update of October 2020.
That’s what it looks like: An outstanding actor, Threats, used Oracle’s Solaris Zero Day.
That’s what it looks like: Oracle’s mainframe includes 402 new security patches as of October 2020.
That’s what it looks like: Update Oracle’s inaccessibility issues for critical vulnerabilities exploited in attacks
Ionat Argir is the international correspondent for Security Week.
Previous chronicles of Ionat Argir:
ticketmaster ico fine,ba ico fine,marriott data breach,ico ba fine,united nations data breach,marriott fine,marriott data breach case study,marriott data breach 2020,h&m gdpr fine,ico british airways,ico, marriott