Oracle today emitted a huge batch of 299 security fixes for its software – including a patch for a vulnerability exploited by a leaked NSA tool that can hijack Solaris systems.
Details of the massive April dump can be found here: Oracle describes the updates as "critical," and urges admins to install them "without delay."
Among the trove is a patch for CVE-2017-3622, a local privilege escalation hole in the Common Desktop Environment on Solaris 10 that is exploited by the NSA's now-public EXTREMEPARR tool to seize control of vulnerable machines. This flaw isn't present in Solaris 11, according to Oracle. That leaves Solaris 7 to 9 potentially vulnerable on Sparc and x86; these operating systems are not supported by Oracle, so you're on your own with those.
Another leaked NSA tool, EBBISLAND aka EBBSHAVE, attempts to exploit a kernel RPC vulnerability (CVE-2017-3623) in Solaris 6 to 10, on x86 and Sparc, to give the attacker a remote root shell. This flaw is not present on Solaris 11 nor on Solaris 10 with critical patches installed since January 21, 2012, nor systems running Solaris 10 Update 11. Again, that leaves older unsupported Solaris boxes on their own.
In other words, Oracle patched the remote root hole now dubbed CVE-2017-3623 back in January 2012 for Solaris 10, and Solaris 11 is not affected. Solaris 10 was always at risk of the local root hole CVE-2017-3622, and now a patch is available for that operating system, and Solaris 11 was never affected.
Earlier versions of Solaris are out of luck as they are unsupported: if you're running older boxes or unpatched systems – and many organizations are for various reasons – you need to pay close attention to what's happening here.
It took Oracle a week to clarify the above after earlier refusing to comment on whether or not its software was vulnerable to the NSA toolkit leaked by the Shadow Brokers this month. The radio silence was highly frustrating for some in the sysadmin community.
"Oracle encourages all customers to update their systems frequently and fixes are cumulative – this is why any of the Solaris 10 patch distributions released since January 26, 2012, includes the fix," a spokesman told The Register, referring to the patch that kills off the EBBISLAND weapon.
Matthew Hickey, the Brit infosec expert who demonstrated EXTREMEPARR and EBBISLAND on vulnerable pre-Solaris 11 systems, told The Reg it looks as though Oracle has ironed out the vulnerabilities – at least for supported installations.
"There's no data on the CDE local root," he noted. "And it seems they got lucky patching the remote vulnerability out of the RPC code in 2012: it was a previously unknown bug as it has a new CVE."
Besides the spyware drama, there are patches to be applied to Oracle's Database, Fusion Middleware, PeopleSoft suite, Oracle Communications tools, Oracle Financial Services software, its retail applications, Java SE, Oracle Linux and MySQL, and more. Get updating ASAP, if you can. ®