Pluggable Authentication Module (PAM) Vulnerability
Oracle Solaris 10 & 11 operating systems have a pretty small market share today compared to other operating systems such as Linux and Microsoft Windows. However, over 50% of Solaris deployments are at medium and large organizations in the United States.
In Oracle’s October 2020 patch update, (CVE-2020-14871) is a level 10 (the highest) critical vulnerability in the pluggable authentication module (PAM) of Oracle Solaris. The flaw is locally and remotely exploitable without user credentials, requires no user interaction, and can be implemented as a “low-complexity” attack. Although there are no currently known published exploits, the low-complexity nature of the vulnerability combined with privilege escalation is why CVE-2020-14871 received the CVE level 10 criticality rating.
If you are a business or government agency that relies on Oracle Solaris for your computational workload, be sure you get this patch applied to your systems as soon as possible.
Linked Information
If you use Oracle VM VirtualBox, the same PAM vulnerability applies as well. Download the latest VirtualBox 6.1.32 from Oracle to address the patch.
The entire 2020 list of Oracle vulnerabilities patched in the October patch update. https://www.oracle.com/security-alerts/cpuoct2020.html
The specifics for Solaris 10/11 in regard to CVE-2020-14871 https://www.oracle.com/security-alerts/cpuoct2020.html#AppendixSUNS
