AttackerKBAKB:75D8C6A5-57DD-497A-8E52-F1E3EDCF3AC4CVE-2020-14871
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.11 Low
EPSS
Percentile
94.5%
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Recent assessments:
busterb at November 02, 2020 11:12pm UTC reported:
Likely pre-auth RCE via stack overflow in PAM username parsing. Simply provide an overlong username, and PAM does an over copy into a stack buffer.
Bug being discussed in open source offshoots for Solaris here: <https://illumos.topicbox.com/groups/developer/T4da539ebf8f90156/urgent-cve-2020-14871>
But theyโre not sure if itโs actually related to this commit <https://github.com/illumos/illumos-gate/commit/1d276e0b382cf066dae93640746d8b4c54d15452>, or if itโs a different bug. My money is on the former. <https://www.illumos.org/issues/13242>
ZDNet article referencing exploitation in the wild: <https://www.zdnet.com/article/hacker-group-uses-solaris-zero-day-to-breach-corporate-networks/>
wvu-r7 at November 05, 2020 1:41am UTC reported:
Likely pre-auth RCE via stack overflow in PAM username parsing. Simply provide an overlong username, and PAM does an over copy into a stack buffer.
Bug being discussed in open source offshoots for Solaris here: <https://illumos.topicbox.com/groups/developer/T4da539ebf8f90156/urgent-cve-2020-14871>
But theyโre not sure if itโs actually related to this commit <https://github.com/illumos/illumos-gate/commit/1d276e0b382cf066dae93640746d8b4c54d15452>, or if itโs a different bug. My money is on the former. <https://www.illumos.org/issues/13242>
ZDNet article referencing exploitation in the wild: <https://www.zdnet.com/article/hacker-group-uses-solaris-zero-day-to-breach-corporate-networks/>
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 4
References
packetstormsecurity.com/files/159961/SunSSH-Solaris-10-x86-Remote-Root.html
packetstormsecurity.com/files/160510/Solaris-SunSSH-11.0-x86-libpam-Remote-Root.html
packetstormsecurity.com/files/160609/Oracle-Solaris-SunSSH-PAM-parse_user_name-Buffer-Overflow.html
packetstormsecurity.com/files/163232/Solaris-SunSSH-11.0-Remote-Root.html
www.openwall.com/lists/oss-security/2021/03/03/1
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14871
www.oracle.com/security-alerts/cpuoct2020.html
Related
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.11 Low
EPSS
Percentile
94.5%