Oracle Solaris Vulnerability Exploited in the Wild As Zero-Day (CVE-2020-14871)

On November 2 and 4, researchers at FireEye published blog posts [1, 2] detailing their discovery of a zero-day vulnerability in Oracle Solaris that was exploited in the wild by an uncategorized threat group they call UNC1945. 

According to the researchers, the threat group reportedly obtained a zero-day in Oracle Solaris through an underground forum. The vulnerability, identified as CVE-2020-14871, is a stack-based buffer overflow vulnerability in the Pluggable Authentication Module (PAM) in Oracle Solaris. The vulnerability received the maximum possible CVSSv3 score of 10.0, which makes this a critical vulnerability.

In addition to using CVE-2020-14871, the researchers say that UNC1945 have also used CVE-2019-0708, a critical remote code execution vulnerability in Microsoft’s Remote Desktop Protocol, dubbed “BlueKeep,” as part of their additional reconnaissance efforts.

For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.