Oracle released its biggest Critical Patch Update ever on Tuesday, and with it came added urgency in the form of patches for the Solaris vulnerabilities exposed by the ShadowBrokers last week, as well as the recent Apache Struts 2 vulnerability, also under public attack.
In all, Oracle admins have a tall order with 299 patches across most of the company’s product lines; 162 of the vulnerabilities are remotely exploitable.
Two Solaris exploits were leaked by the mysterious ShadowBrokers last Friday. The Solaris attacks were included among a rash of other exploits including a laundry list of Windows attacks, many of which had already been patched by Microsoft prior to last Friday’s dump.
One of the Solaris vulnerabilities, code-named EBBISLAND, had been patched in a number of updates dating back to 2012. The other, EXTREMEPARR, was addressed on Tuesday. It affects Solaris 7-10 on x86 and SPARC architectures, and is a local privilege escalation issue in the dtappgather component. Oracle patched versions 10 and 11.3 on Tuesday.
Researcher Matthew Hickey of U.K. consultancy Hacker House, said the EXTREMEPARR attacks go back to Solaris 7, while EBBISLAND affects Solaris 6-10, and is a remote RPC services exploit. Both exploits allow attackers to elevate privileges to root and run shells on a compromised server.
> I said in December that EBBISLAND was likely an exploit for Solaris 6 through 10, I am today confirmed correct (upto 9, still untested) <https://t.co/A3fC7BuwcK> > > — Hacker Fantastic (@hackerfantastic) April 8, 2017
“As a security researcher it was an extremely interesting find to discover such well written exploits in a public data dump,” Hickey wrote in a report published today, “even though the bug was a trivial path traversal for ‘dtappgather’ extensive steps had been taken to protect the attack specifics in the binary and a well tested tool which worked flawlessly on all tested hosts was included.”
Since last August, the ShadowBrokers have periodically released tools belonging to the Equation Group, widely believed to be the U.S. National Security Agency. The Solaris attacks are of particular concern since these are the backbone of many enterprise-grade server environments.
> The NSA had the power to hack any Oracle Solaris box in the world via UDP/TCP generically with anti-forensics capabilities and its public. > > — Hacker Fantastic (@hackerfantastic) April 10, 2017
“This vulnerability can be exploited remotely without authentication or any information about the targeted machine,” said Amol Sarwate, director of Qualys Vulnerability Labs. “These are very critical vulnerabilities.”
The Apache Struts 2 vulnerability has been public since early March, though it’s been publicly exploited for much longer. The flaw is in the Jakarta Multipart parser in Struts 2 2.3 before 2.3.32 and in 2.5 before 22.214.171.124. A remote attacker could upload a malicious Content-Type value and have it execute. Public scans and attacks ramped up immediately upon disclosure of the issue and development of a Metasploit module. For the most part, Linux-based DDoS bots were behind most of the exploit attempts, but a spate of attacks were detected attempting to install Cerber ransomware on vulnerable Windows servers.
Oracle patched Struts 2 on 25 of its products, including 19 different instances of its Oracle Financial Services Applications. Most of these Oracle applications, however, are not internet-facing and live behind an enterprise firewall.
“That could be a little bit of a saving grace for some of these services,” Qualys’ Sarwate said. There could be some instances, however, where these apps are exposed to the public network for remote administration purposes, for example. There are also some cases in which admins may be learning for the first time that Struts 2 is running inside an Oracle product. “For a normal admin, it could be a little difficult unless a vendor tells them these are the products you’re running that are affected by the Struts 2 vulnerability. It could take some admins by surprise.”
While there were 47 patches in total for the financial applications suite, the MySQL database also received a hefty load of 39 fixes, 11 of which are remotely exploitable without authentication. The Oracle Retail Applications suite also had 39 vulnerabilities addressed, 32 of which were remotely exploitable. Oracle Fusion Middleware received 31 patches, 20 of which were for remotely exploitable vulnerabilities.