Solarwinds Virtualization Manager 6.3.1 Java Deserialization

2016.06.17
Credit: Nate Kettlewell
Risk: High
Local: No
Remote: Yes
CVE: CVE-2016-3642
CWE: CWE-502


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Java Deserialization in Solarwinds Virtualization Manager 6.3.1 Product: Solarwinds Virtualization Manager Vendor: Solarwinds Vulnerable Version(s): < 6.3.1 Tested Version: 6.3.1 Vendor Notification: April 25th, 2016 Vendor Patch Availability to Customers: June 1st, 2016 Public Disclosure: June 14th, 2016 Vulnerability Type: Deserialization of Untrusted Data [CWE-502] CVE Reference: CVE-2016-3642 Risk Level: High CVSSv2 Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) Solution Status: Solution Available Discovered and Provided: Nate Kettlewell, Depth Security ( https://www.depthsecurity.com/ ) ----------------------------------------------------------------------------------------------- Advisory Details: Depth Security discovered a vulnerability in Solarwinds Virtualization Manager Java RMI service. This attack does not require authentication of any kind. 1) Deserialization of Untrusted Data in Solarwinds Virtualization Manager: CVE-2016-3642 The vulnerability exists due to the deserialization of untrusted data in the RMI service running on port 1099/TCP. A remote attacker can execute operating system commands as an unprivileged user. ----------------------------------------------------------------------------------------------- Solution: Solarwinds has released a hotfix to remediate this vulnerability on existing installations. This flaw as well as several others have been corrected and that release has been put into manufacturing for new appliances. ----------------------------------------------------------------------------------------------- Proof of Concept: The following is an example of the usage of the "ysoserial" tool to execute operating system commands against the 10.10.10.10 host. java -cp ysoserial-0.0.2-all.jar ysoserial.RMIRegistryExploit 10.10.10.10 1099 CommonsCollections1 'OS COMMANDS HERE' ----------------------------------------------------------------------------------------------- References: [1] Solarwinds Virtualization Manager- http://www.solarwinds.com/virtualization-manager - Solarwinds Virtualization Manager provides monitoring and remediation for virtualized environments. [2] Common Weakness Enumeration (CWE) - http://cwe.mitre.org/ - Targeted to developers and security practitioners, CWE is a formal list of software weakness types.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top