Security Experts:

Connect with us

Hi, what are you looking for?



Mandiant Details Recently Patched Oracle Solaris Zero-Day

FireEye Mandiant has published detailed information on an Oracle Solaris vulnerability that has been exploited in attacks by a sophisticated threat actor.

FireEye Mandiant has published detailed information on an Oracle Solaris vulnerability that has been exploited in attacks by a sophisticated threat actor.

Tracked as CVE-2020-14871, the vulnerability was identified in June, but a patch for it was only released as part of Oracle’s October 2020 Critical Patch Update. The threat actor abusing the bug, which is tracked as UNC1945, has been actively targeting Solaris systems for at least a couple of years.

The zero-day vulnerability was discovered in the Pluggable Authentication Modules (PAM) library, which enables user authentication in Solaris applications, while providing admins with the option to configure authentication parameters.

CVE-2020-14871, Mandiant explains, is a stack-based buffer overflow that resides in the parse_user_name function of PAM and is triggered when a username longer than PAM_MAX_RESP_SIZE (which is 512 bytes) is passed to the function. The flaw allows an unauthenticated attacker to compromise Oracle Solaris systems.

“The vulnerability has likely existed for decades, and one possible reason is that it is only exploitable if an application does not already limit usernames to a smaller length before passing them to PAM. One situation where network-facing software does not always limit the username length arises in the SSH server, and this is the exploit vector used by the [EVILSUN] tool that we discovered,” Mandiant notes.

Courtesy of this bug, an attacker could target the SSH Keyboard-Interactive authentication, where SSH is leveraged to relay prompts and responses between the client and the PAM libraries on the server. It supports two-factor and other authentication forms.

“By manipulating SSH client settings to force Keyboard-Interactive authentication to prompt for the username rather than sending it through normal means, an attacker can also pass unlimited input to the PAM parse_user_name function,” Mandiant’s security researchers explain.

The researchers came up with a proof-of-concept exploit designed to trigger the bug and crash the SSH server. On vulnerable servers, the SSH client delivers an “Authentication failed” message, while a non-vulnerable one would repeatedly prompt for a username when receiving one that is too long.

Vulnerable operating systems, Madiant says, include some releases of Solaris 9, all releases of Solaris 10, Solaris 11.0, and Illumos (OpenIndiana 2020.04). Oracle has released patches for Solaris 10 and 11, but not for Solaris 9, which is no longer supported.

On unpatched Solaris 11.1 and later systems, the parse_user_name function remains vulnerable, but some changes to the PAM library result in the username being truncated before being delivered to the vulnerable function, thus preventing exploitation via SSH.

“If the parse_user_name function were reachable in another context, then the vulnerability could become exploitable,” Madiant explains.

For Solaris 9 systems, as well as for the Solaris 10 or 11 servers where patching is inconvenient, modifying the /etc/ssh/sshd_config file by adding the lines ChallengeResponseAuthentication no and KbdInteractiveAuthentication no and restarting the SSH server can be used as a workaround.

However, this does not remove the vulnerability and exploitation might still be possible if an attacker manages to reach the parse_user_name function in any way. Thus, installing the fixes included in the October 2020 Critical Patch Update is the recommended path of action.

Related: Sophisticated Threat Actor Exploited Oracle Solaris Zero-Day

Related: Oracle’s October 2020 CPU Contains 402 New Security Patches

Related: Oracle Issues Out-of-Band Update for Critical Vulnerability Exploited in Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.