Oracle has issued three fixes for a critical Solaris vulnerability that could allow kernel-level privilege escalation. Impacted are the Solaris 10 and 11.3 operating environments.
Sun Microsystems (now owned by Oracle) originally patched the vulnerability in 2009. But, a “re-fix” is now required, since researchers at Trustwave discovered loopholes in the patch that could allow a local adversary to execute arbitrary code on Solaris enterprise systems and escalate privileges.
“The issue is present in the kernel and is locally exploitable as an unprivileged user, provided the local system has the Sun StorageTek Availability Suite configured,” explained Neil Kettle, application security principal consultant at SpiderLabs at Trustwave.
The vulnerability allows attackers to write their own malicious code to memory and execute it with kernel-level privilege, researchers said. A successful attack against this vulnerability could result in a takeover of the Solaris operating environment.
The vulnerability was first discovered in 2007 and released publicly during CanSecWest 2009, according to Trustwave. A fix was issued shortly after by Sun Microsystems. Fast-forward to March 2018, when Trustwave disclosed it had found loopholes in the patch.
On July 17, Oracle released three patches to mitigate against the vulnerability as part of its July patching schedule. On Tuesday, Trustwave and Oracle publicly disclosed the vulnerability (CVE-2018-2892).
The bug is tied to Sun StorageTek Availability Suite Service, used for backup replication and disaster tolerance.
“The root cause of the issue is a combination of an arbitrary memory dereference through a lack of bounds checking on a user-controlled array index combined with an unbounded user-controllable length in the call to copyin(). The combined result is an arbitrary memory write and overflow in the call to copyin(),” Kettle wrote.
He said within the problematic code there are four vulnerabilities ranging from an “arbitrary memory dereference resulting in an arbitrary destination pointer being passed to copyin()” to a “arbitrary user-controlled length in the call to copyin() resulting in an unbounded memory write.”
Patches for the 13-year-old Oracle Solaris 10 are being distributed via Oracle’s extended support offering, Trustwave said. Oracle 11.3 installations can be patched with Oracle July 2018 Critical Patch Update applied.