FireEye Mandiant has published detailed information on an Oracle Solaris vulnerability that has been exploited in attacks by a sophisticated threat actor.
Tracked as CVE-2020-14871, the vulnerability was identified in June, but a patch for it was only released as part of Oracle’s October 2020 Critical Patch Update. The threat actor abusing the bug, which is tracked as UNC1945, has been actively targeting Solaris systems for at least a couple of years.
The zero-day vulnerability was discovered in the Pluggable Authentication Modules (PAM) library, which enables user authentication in Solaris applications, while providing admins with the option to configure authentication parameters.
CVE-2020-14871, Mandiant explains, is a stack-based buffer overflow that resides in the parse_user_name function of PAM and is triggered when a username longer than PAM_MAX_RESP_SIZE (which is 512 bytes) is passed to the function. The flaw allows an unauthenticated attacker to compromise Oracle Solaris systems.
“The vulnerability has likely existed for decades, and one possible reason is that it is only exploitable if an application does not already limit usernames to a smaller length before passing them to PAM. One situation where network-facing software does not always limit the username length arises in the SSH server, and this is the exploit vector used by the [EVILSUN] tool that we discovered,” Mandiant notes.
Courtesy of this bug, an attacker could target the SSH Keyboard-Interactive authentication, where SSH is leveraged to relay prompts and responses between the client and the PAM libraries on the server. It supports two-factor and other authentication forms.
“By manipulating SSH client settings to force Keyboard-Interactive authentication to prompt for the username rather than sending it through normal means, an attacker can also pass unlimited input to the PAM parse_user_name function,” Mandiant’s security researchers explain.
The researchers came up with a proof-of-concept exploit designed to trigger the bug and crash the SSH server. On vulnerable servers, the SSH client delivers an “Authentication failed” message, while a non-vulnerable one would repeatedly prompt for a username when receiving one that is too long.
Vulnerable operating systems, Madiant says, include some releases of Solaris 9, all releases of Solaris 10, Solaris 11.0, and Illumos (OpenIndiana 2020.04). Oracle has released patches for Solaris 10 and 11, but not for Solaris 9, which is no longer supported.
On unpatched Solaris 11.1 and later systems, the parse_user_name function remains vulnerable, but some changes to the PAM library result in the username being truncated before being delivered to the vulnerable function, thus preventing exploitation via SSH.
“If the parse_user_name function were reachable in another context, then the vulnerability could become exploitable,” Madiant explains.
For Solaris 9 systems, as well as for the Solaris 10 or 11 servers where patching is inconvenient, modifying the /etc/ssh/sshd_config file by adding the lines ChallengeResponseAuthentication no and KbdInteractiveAuthentication no and restarting the SSH server can be used as a workaround.
However, this does not remove the vulnerability and exploitation might still be possible if an attacker manages to reach the parse_user_name function in any way. Thus, installing the fixes included in the October 2020 Critical Patch Update is the recommended path of action.