Oracle ZFS Storage Appliance Kit 8.8 Operating System Image privileges management

Summaryinfo

A vulnerability classified as very critical was found in Oracle ZFS Storage Appliance Kit 8.8. Impacted is an unknown function of the component Operating System Image. Such manipulation leads to an unknown weakness. This vulnerability is traded as CVE-2020-1472. The attack may be launched remotely. Furthermore, there is an exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability, which was classified as very critical, has been found in Oracle ZFS Storage Appliance Kit 8.8. Affected by this issue is an unknown function of the component Operating System Image. Using CWE to declare the problem leads to CWE-269. The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. Impacted is confidentiality, integrity, and availability. CVE summarizes:

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

The weakness was shared 04/21/2021 as Oracle Critical Patch Update Advisory - April 2021. The advisory is shared for download at oracle.com. This vulnerability is handled as CVE-2020-1472. Technical details are unknown but a public exploit is available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 12/17/2025). The MITRE ATT&CK project declares the attack technique as T1068.

The exploit is available at exploit-db.com. It is declared as attacked. As 0-day the estimated underground price was around $100k and more. The vulnerability scanner Nessus provides a plugin with the ID 236653 (Alibaba Cloud Linux 3 : 0077: samba (ALINUX3-SA-2021:0077)), which helps to determine the existence of the flaw in a target environment. This issue was added on 11/03/2021 to the CISA Known Exploited Vulnerabilities Catalog with a due date of 05/03/2022:

Apply updates per vendor instructions.

Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The vulnerability is also documented in the databases at Exploit-DB (49071) and Tenable (236653). Once again VulDB remains the best source for vulnerability data.

Productinfo

Vendor

• Oracle

Name

• ZFS Storage Appliance Kit

Version

• 8.8

License

• commercial

Website

• Vendor: https://www.oracle.com

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion