CVE-2020-14871

What is Oracle Solaris PAM?

Oracle Solaris is an enterprise Unix operating system used extensively in financial services, telecommunications, and large-scale data center environments. Solaris ships with SunSSH as its default SSH implementation — a Sun/Oracle-developed SSH daemon distinct from OpenSSH. SunSSH integrates with Solaris's Pluggable Authentication Modules (PAM) framework, which provides a modular system for authentication, account management, session management, and password policy enforcement. The PAM framework intercepts authentication requests from services like SSH and routes them through configurable authentication modules. An out-of-bounds write in the PAM framework reachable from SunSSH's unauthenticated code path represents a pre-authentication remote code execution vulnerability in the SSH daemon — effectively a network-accessible code execution path requiring no credentials on a privileged enterprise server.

Overview

CVE-2020-14871 is an out-of-bounds write (CWE-787) in Oracle Solaris's PAM authentication framework, reachable through the SunSSH daemon. With a CVSS score of 10.0 — the maximum possible — it requires no authentication, no user interaction, and its scope is Changed (S:C), indicating the vulnerability escapes the bounds of the vulnerable component to affect the broader system. Oracle patched it in the October 2020 CPU. Mandiant documented exploitation by UNC1945, a financially-motivated threat group targeting financial sector organizations running Oracle Solaris, using the SLAPSTICK PAM backdoor to maintain persistent, authenticated access via Solaris systems.

Affected Versions

Technical Details

• Root cause: Out-of-bounds write (CWE-787) in Oracle Solaris's PAM implementation — the PAM framework's handling of authentication data from SunSSH contains a memory corruption condition reachable before authentication completes; a crafted authentication request triggers the OOB write, corrupting adjacent heap memory in the SSH daemon process
• CVSS 10.0 — maximum severity: AV:N (network), AC:L (no complexity barrier), PR:N (no credentials), UI:N (no victim interaction), S:C (scope changes from SSH daemon to the OS), C:H/I:H/A:H (full triad impact) — every metric is at maximum exploitability; very few CVEs achieve a perfect 10.0 score
• SunSSH vs. OpenSSH attack surface: Solaris ships SunSSH by default rather than OpenSSH; SunSSH's PAM integration differs from OpenSSH's, and the PAM OOB write is in the Solaris-specific PAM code path reached through SunSSH's keyboard-interactive or challenge-response authentication handling
• UNC1945 SLAPSTICK backdoor: After achieving initial code execution, UNC1945 deployed SLAPSTICK, a PAM backdoor that modifies the PAM shared library to intercept authentication requests and log credentials; SLAPSTICK can also accept a hardcoded backdoor password, providing persistent access that survives user password changes and persists through normal authentication flows
• Scope: Changed (S:C): Code execution in the SSH daemon process context grants access to the Solaris system beyond the SSH service boundary — including file system access, inter-process communication, and the ability to install kernel-level persistence; S:C reflects that exploiting the SSH daemon compromises the entire Solaris host

Discovery

Mandiant's investigation into UNC1945 intrusions at financial sector organizations uncovered exploitation of CVE-2020-14871 as part of multi-stage attacks. Oracle identified and patched the underlying vulnerability in the October 2020 CPU. The Mandiant report documenting UNC1945's tactics — including use of CVE-2020-14871 alongside SLAPSTICK — provided the public threat intelligence that established active exploitation.

Exploitation Context

UNC1945 targeted organizations in the financial services sector that operate Oracle Solaris on critical infrastructure — trading systems, banking middleware, and data warehouse environments. Financial institutions frequently run Oracle Solaris for high-value workloads specifically because of Solaris's enterprise features and Oracle's support contracts, making these systems high-value targets with long patch cycles. UNC1945's use of SLAPSTICK PAM backdoor post-exploitation indicates sophisticated, persistent threat actor tradecraft: rather than deploying obvious persistence mechanisms, the group modified the authentication framework itself, allowing them to log credentials for all users authenticating through PAM and maintain backdoor access that survives reboots and routine security audits. Solaris systems in financial environments may also have reduced patching frequency due to uptime requirements, extending the exploitation window.

Remediation

1. Apply Oracle October 2020 CPU patches for all affected Solaris versions — addresses the PAM out-of-bounds write
2. Audit PAM shared libraries for unauthorized modifications — compare SHA-256 hashes of /usr/lib/security/ and /usr/lib/security/64/ libraries against known-good versions from Oracle's patch media; SLAPSTICK modifies PAM .so files
3. Investigate for UNC1945 indicators: scan for SLAPSTICK artifacts (modified PAM libraries, unexpected authentication log entries with hardcoded-password patterns, unfamiliar SSH public keys in authorized_keys)
4. Review SSH authentication logs for anomalous pre-authentication connection patterns or failed authentications with unusual payload sizes that may indicate exploitation attempts
5. Restrict SunSSH access to authorized administrator IP ranges via tcp_wrappers (/etc/hosts.allow, /etc/hosts.deny) or Solaris IP Filter firewall rules — no server's SSH should be directly internet-accessible
6. Consider deploying Oracle Solaris Zones to limit the blast radius of SSH daemon compromise; evaluate migrating from SunSSH to OpenSSH on Solaris 11.4 where supported