Researchers Resurrect Decade-Old Oracle Solaris Vulnerability
26.7.18 securityweek

One of the Solaris vulnerabilities patched by Oracle with its July 18 Critical Patch Update (CPU) exists due to an ineffective fix implemented by the company for a flaw first discovered in 2007.

The new vulnerability, identified by researchers at Trustwave and tracked as CVE-18-2892, impacts the Availability Suite Service component in Oracle Solaris 10 and 11.3.

The security hole has been classified as high severity due to the fact that it allows an attacker to execute code with elevated privileges, but it cannot be exploited remotely without authentication.

“A local kernel ring0 code execution vulnerability exists in the Oracle Solaris AVS kernel component permitting arbitrary code execution and thus privilege escalation,” Trustwave wrote in an advisory. “The issue is the result of a signedness bug in the bounds checking of the 'SDBC_TEST_INIT' ioctl code sent to the '/dev/sdbc' device. The result is a call to copyin() with a user controllable destination pointer and length thereby facilitating an arbitrary kernel memory overwrite and thus arbitrary code execution in the context of the kernel.”

According to Trustwave, the vulnerability was originally discovered back in 2007 and its details were disclosed in 2009 at the CanSecWest security conference. The root cause of the issue is a combination of several arbitrary memory dereference bugs and an unbounded memory write bug.

Oracle released a patch sometime after the vulnerability was disclosed, but Trustwave discovered that the fix had been ineffective.

Exploitation of CVE-18-2892 is “almost identical” to the original flaw, the most significant difference being related to the change in architecture between the open source OpenSolaris running on a 32-bit system and Oracle Solaris 11 running on a 64-bit system. Oracle discontinued OpenSolaris after acquiring Sun Microsystems in 2010.

Researchers believe the new vulnerability may exist due to some code introduced for testing purposes.

Another vulnerability patched by Oracle with its latest CPU is CVE-18-2893, a critical flaw that allows attackers to remotely take control of WebLogic Server systems. The security hole has already been exploited in the wild to deliver cryptocurrency miners, backdoors and other types of malware.