Security Experts:

Researchers Resurrect Decade-Old Oracle Solaris Vulnerability

One of the Solaris vulnerabilities patched by Oracle with its July 2018 Critical Patch Update (CPU) exists due to an ineffective fix implemented by the company for a flaw first discovered in 2007.

The new vulnerability, identified by researchers at Trustwave and tracked as CVE-2018-2892, impacts the Availability Suite Service component in Oracle Solaris 10 and 11.3.

The security hole has been classified as high severity due to the fact that it allows an attacker to execute code with elevated privileges, but it cannot be exploited remotely without authentication.

“A local kernel ring0 code execution vulnerability exists in the Oracle Solaris AVS kernel component permitting arbitrary code execution and thus privilege escalation,” Trustwave wrote in an advisory. “The issue is the result of a signedness bug in the bounds checking of the 'SDBC_TEST_INIT' ioctl code sent to the '/dev/sdbc' device. The result is a call to copyin() with a user controllable destination pointer and length thereby facilitating an arbitrary kernel memory overwrite and thus arbitrary code execution in the context of the kernel.”

According to Trustwave, the vulnerability was originally discovered back in 2007 and its details were disclosed in 2009 at the CanSecWest security conference. The root cause of the issue is a combination of several arbitrary memory dereference bugs and an unbounded memory write bug.

Oracle released a patch sometime after the vulnerability was disclosed, but Trustwave discovered that the fix had been ineffective.

Exploitation of CVE-2018-2892 is “almost identical” to the original flaw, the most significant difference being related to the change in architecture between the open source OpenSolaris running on a 32-bit system and Oracle Solaris 11 running on a 64-bit system. Oracle discontinued OpenSolaris after acquiring Sun Microsystems in 2010.

Researchers believe the new vulnerability may exist due to some code introduced for testing purposes.

Another vulnerability patched by Oracle with its latest CPU is CVE-2018-2893, a critical flaw that allows attackers to remotely take control of WebLogic Server systems. The security hole has already been exploited in the wild to deliver cryptocurrency miners, backdoors and other types of malware.

Related: Oracle Fixes Spectre, Meltdown Flaws With Critical Patch Update

Related: Oracle Patches New Spectre, Meltdown Vulnerabilities

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.