Yesterday Oracle has emitted a huge set of 299 security fixes for their software – also including a patch for a vulnerability exploited by an NSA leaked tool that can hijack the Solaris systems.
You can find the details of this massive April dump here: Oracle describes their updates as “critical,” and urges all the admins to install them “without any delay.”
Among the trove is a patch for CVE-2017-3622, a local privilege escalation hole in the Common Desktop Environment on Solaris 10 that is exploited by the NSA’s now-public EXTREMEPARR tool to seize control of vulnerable machines. This flaw isn’t present in Solaris 11, according to Oracle. That leaves Solaris 7 to 9 potentially vulnerable on Sparc and x86; these operating systems are not supported by Oracle, so you’re on your own with those.
Another leaked NSA tool, EBBISLAND aka EBBSHAVE, attempts to exploit a kernel RPC vulnerability (CVE-2017-3623) in Solaris 6 to 10, on x86 and Sparc, to give the attacker a remote root shell. This flaw is not present on Solaris 11 nor on Solaris 10 with critical patches installed since January 21, 2012, nor systems running Solaris 10 Update 11. Again, that leaves older unsupported Solaris boxes on their own.
In other words, Oracle patched the remote root hole now dubbed CVE-2017-3623 back in January 2012 for Solaris 10, and Solaris 11 is not affected. Solaris 10 was always at risk of the local root hole CVE-2017-3622, and now a patch is available for that operating system, and Solaris 11 was never affected.
Earlier versions of Solaris are out of luck as they are unsupported: if you’re running older boxes or unpatched systems – and many organizations are for various reasons – you need to pay close attention to what’s happening here.
It took Oracle a week to clarify the above after earlier refusing to comment on whether or not its software was vulnerable to the NSA toolkit leaked by the Shadow Brokers this month. The radio silence was highly frustrating for some in the sysadmin community.
“Oracle encourages all customers to update their systems frequently and fixes are cumulative – this is why any of the Solaris 10 patch distributions released since January 26, 2012, includes the fix,” a spokesman told The Register, referring to the patch that kills off the EBBISLAND weapon.