CVE-2022-36958 SolarWinds Platform was susceptible to the Deserialization of Untrusted Data

The flaw was discovered by Chris Huber, a software engineer at EMEA partner firm Varonis. This remote command injection vulnerability is present in the Web UI of SolarWinds Platform. An attacker can exploit this vulnerability by sending malicious request to the vulnerable application. Successful exploitation of this issue could allow an attacker to execute arbitrary commands. If a user is logged into the SolarWinds Web Console, they would be vulnerable to this issue. The attacker must send request to the vulnerable application with valid username and password. This issue affects the SolarWinds Platform version 6.0(x) and 5.9(x) released on March 20, 2017. The latest release of SolarWinds Platform is version 7.2(x). This issue has been patched in version 7.2 and 5.10, released on July 7, 2017.

Vulnerability Scenario

SolarWinds Web Console is an application which allows users to remotely monitor their systems. The Web Console is a web application which can be accessed through the URL https://[HOST]/WebConsole.
An attacker may launch a brute-force attack against the SolarWinds Web Console by first collecting Unique IDs (UID) of vulnerable users and then sending maliciously crafted requests to the vulnerable application. If a user is logged into the SolarWinds Web Console, they would be vulnerable to this issue.

Vulnerability overview

A new remote command injection vulnerability has been discovered in the Web UI of SolarWinds Platform. The issue allows an attacker to execute arbitrary commands on a vulnerable system. Varonis discovered this flaw and reported it to SolarWinds Security Team.

References:

- CVE-2022-36958

Vulnerability Verification

An attacker can exploit this vulnerability by sending malicious request to the vulnerable application.
Successful exploitation of this issue could allow an attacker to execute arbitrary commands. If a user is logged into the SolarWinds Web Console, they would be vulnerable to this issue.

Timeline

Published on: 10/20/2022 21:15:00 UTC
Last modified on: 10/21/2022 18:51:00 UTC

References