Oracle has patched a critical vulnerability in Solaris enterprise operating system, which was discovered recently by researchers at Trustwave.
According to Trustwave advisory, the vulnerability allows kernel-level privilege escalation. It was available in all current versions of Oracle Solaris 10/11 having the Sun StorageTek Availability Suite (AVS) configured. This could allow hackers to execute their own arbitrary code, and thus gain root access to the system.
“A local kernel ring0 code execution vulnerability exists in the Oracle Solaris AVS kernel component permitting arbitrary code execution and thus privilege escalation. The issue is the result of a signedness bug in the bounds checking of the ‘SDBC_TEST_INIT’ ioctl code sent to the ‘/dev/sdbc’ device,” explained Trustwave in the advisory.
“The result is a call to copyin() with a user controllable destination pointer and length thereby facilitating an arbitrary kernel memory overwrite and thus arbitrary code execution in the context of the kernel.”
This vulnerability (CVE-2018-2892) is a decade old, first discovered in 2007. Sun Microsystems (now owned by Oracle) patched this vulnerability in 2009. However, when Trustwave researchers revisited the code this year, they found loopholes in the Solaris system that allowed execution of malicious code.
Trustwave disclosed the vulnerability to Oracle in March this year, and Oracle released the patch on 17th July as a part of its July patching schedule.
“The root cause of the issue is a combination of an arbitrary memory dereference through a lack of bounds checking on a user-controlled array index combined with an unbounded user-controllable length in the call to copyin(),” said Neil Kettle, application security principal consultant at Trustwave SpiderLabs, who discovered the vulnerability.
Patches for Oracle Solaris 10 installations will be distributed through Oracle’s extended support offering, while users of Oracle 11.3 can patch the vulnerability with Oracle July 2018 Critical Patch Update.