CVE-2018-3266: Oracle Solaris Verified Boot vuln

October 17, 2018 ~ hucktech ~ Leave a comment

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Verified Boot). The supported version that is affected is 11.3. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Solaris accessible data as well as unauthorized read access to a subset of Solaris accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Solaris.

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

https://nvd.nist.gov/vuln/detail/CVE-2018-3266

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3266

Current Exploit Price (≈) 3.9 $5k-$25k

https://vuldb.com/?id.125643

Oracle Solaris 11.4: UEFI Secure Boot on Intel HW

February 26, 2018 ~ hucktech ~ Leave a comment

Solaris UEFI Secure Boot now available for preview in #solaris114beta. Secure or Verified Boot checks signed firmware & software end-to-end from @Intel hardware, UEFI firmware, GRUB boot manager, & Solaris kernel. I worked on it with Ann Lai in 2016 before I left @OracleSolaris.

— Dan Anderson (@_Dan_Anderson) February 24, 2018

UEFI Secure Boot on Oracle Solaris x86 enables you to install and boot Oracle Solaris on platforms where UEFI Secure Boot is enabled. This feature provides more security by maintaining a chain of trust during boot: digital signatures of the firmware and software are verified before executing the next stage. No break occurs in the chain because of unsigned, corrupt, or rogue firmware or software during the boot process. This feature helps assure that the firmware and software used to boot Oracle Solaris on a hardware platform is correct, and has not been modified or corrupted.

https://docs.oracle.com/cd/E72435_01/html/E72445/grijo.html
https://docs.oracle.com/cd/E37838_01/html/E60974/index.html
https://blogs.oracle.com/solaris/oracle-solaris-114-beta-released
https://github.com/oracle/solaris-userland/tree/master/components/shim
https://www.phoronix.com/scan.php?page=news_item&px=Oracle-Linux-7-Update-4

I guess it's official, then. We've accidentally written the first stage bootloader and initial verification chain for a major commercial UNIX®. https://t.co/rj1B6ngs8Y

— Farce Majeure🌹 (@vathpela) February 25, 2018

At this point @vathpela deserves far more credit than I do

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) February 24, 2018

Oracle kills off SPARC/Solaris

September 3, 2017 ~ hucktech ~ Leave a comment

For those unaware, Oracle laid off ~ all Solaris tech staff yesterday in a classic silent EOL of the product. https://t.co/ibs2REGRmj

— Simon Phipps (@webmink) September 2, 2017

If you haven't started moving off Solaris/SPARC years ago it's definitely time to start now.

— John Bellone (@johnbellone) September 3, 2017

https://www.theregister.co.uk/2017/08/31/oracle_stops_prolonging_inevitable_layoffs/

https://www.thelayoff.com/t/P23GpT5

https://www.thelayoff.com/t/P2twa2w