cbcvebase.
CVE-2020-14871
published 2020-10-21

CVE-2020-14871: Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11…

PriorityP198critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
80.29%
99.6th percentile
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. Note: This CVE is not exploitable for Solaris 11.1 and later releases, and ZFSSA 8.7 and later releases, thus the CVSS Base Score is 0.0. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Affected

4 ranges
VendorProductVersion rangeFixed in
oraclesolaris
oraclesolaris>= 10 < 11.111.1
oracle_corporationsolaris_operating_system
oracle_corporationsolaris_operating_system

Detection & IOCsextracted from sources · hover to see the quote

port22/tcp (SSH keyboard-interactive authentication attack vector)
hashaae1452bb3d56baa3dcb8866ce7e4a08
command./hfsunsshdx -s 192.168.11.220 -t 0 -x 2
filenamehfsunsshdx
bytes
41*516 + \x04\x39\xbb\xfe\x19\xf8\xf0\x14\x01\x01\x04\x08\x07\xba\x05\x08\xd0\x56\xbb\xfe\xdf\x1e\xc2\xfe\x8c\x60\xfe\x56\xf1\xe3\xc3\xfe
bytes
\x31\xc0\x31\xc9\xbb\x01\x40\x04\x08\x66\xb8\x01\x40\xb1\x07\x4b\x48\x51\x50\x53\x53\x89\xe1\x31\xc0\xb0\x74\xcd\x91 (mprotect stage-1 shellcode stub)
  • Monitor sshd_config for ChallengeResponseAuthentication or KbdInteractiveAuthentication set to 'yes' on Oracle Solaris 10/11.0 hosts — these settings enable the attack vector.
  • The exploit prompt string 'Please enter user name:' in SSH keyboard-interactive sessions is the trigger point; monitor for oversized responses to this specific prompt.
  • Post-exploitation: look for unexpected bind shells on ports 9999, 8080, or 4444 on Solaris hosts, consistent with shellcode payloads embedded in public PoC exploits for this CVE.
  • The Metasploit module for this CVE targets SunSSH 1.1.5 on Solaris 10u11 1/13 (x86); correlate exploit attempts against this specific version string in SSH banners.
  • ·CVE-2020-14871 is NOT exploitable via SSH on Oracle Solaris 11.1 and later, because an unintentional change to the PAM library causes the username to be truncated before reaching parse_user_name(). The vulnerability in the function itself still exists in those versions.
  • ·ZFSSA 8.7 and later releases are also not exploitable; the NVD CVSS score is 0.0 for Solaris 11.1+ and ZFSSA 8.7+.
  • ·ROP chain addresses in public exploits are environment-dependent; the sysenter gadget address (0xfebbbbf4) was found to differ between VMware on MacOS vs. Windows hosts, meaning exploit reliability varies by hypervisor/host OS.
  • ·The vulnerability may affect other PAM implementations beyond Solaris (e.g., illumos), as the flaw is in the shared PAM library parse_user_name() function.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
cisa10.0CRITICAL
vendor_oracle10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.