Skip to main content
Delphix

TB085 libpam Can Cause Buffer Overflow (CVE-2020-27678)

 

 

Alert Type

Security

Impact

FIPS 199 Severity Level: Critical

CVSS Score: 10

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): N

User Interaction (UI): N

Scope (S): C

Confidentiality (C): H

Integrity (I): H

Availability (A): H

The operating system in all versions of the Delphix Engine prior to 6.0.0.0 is susceptible to the illumos vulnerability CVE-2020-27678. This vulnerability is a buffer overflow in parse_user_name in lib/libpam/pam_framework.c that can theoretically allow an attacker to gain root access to the Delphix Engine’s underlying operating system and access all data stored on the Delphix Engine.

Contributing Factors

The issue may occur when using any version of the Delphix Engine prior to 6.0.x.x.

Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0

5.2

5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.3.1, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1, 5.2.6.2

5.1

5.1.3.1, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0

In order to exploit this vulnerability, an attacker would need to build a custom exploit based on the version of libpam that is included in the software appliance and have access to port 22 (ssh) on the Delphix Engine.

Symptoms

An attacker with network access to the engine could potentially take control of the engine and access all data stored on the engine.

Relief/Workaround

Customers in need of a short-term workaround until they can upgrade their engine can disable non-GUI access to the engine by blocking SSH access (port 22) via a firewall. This will disable both CLI and Delphix Support access.

Resolution

This issue does not exist on 6.0-based versions of the Delphix Engine. The resolution is to upgrade to the latest version of the Delphix Engine.

Additional Information

The NVD listings for CVE-2020-27678 (illumos) and CVE-2020-14871 (Oracle Solaris).

Related Documents

Upgrading the Delphix Engine