As announced earlier, SolarWinds has released patches for several vulnerabilities. The company has identified four high-severity flaws that could allow a remote adversary with Orion admin-level account access to execute arbitrary commands.
These vulnerabilities are tracked as CVE-2023-23836, CVE-2022-47503, CVE-2022-47504, and CVE-2022-47507.
If successfully exploited, these vulnerabilities could allow attackers to execute arbitrary commands on the affected systems, whether remotely or locally.
The company is yet to report any instances of these vulnerabilities being exploited in the wild.
“SolarWinds advises its customers to update to SolarWinds Platform 2023.1 as soon as it becomes available to mitigate these vulnerabilities,” Manindar Mohan, Senior Cyber Security Engineer at Beagle Security, told The Cyber Express.
“In addition, SolarWinds has also disclosed a high-severity issue with Server & Application Monitor 2022.4 that prevents the use of Kerberos with NTLM, which has been resolved in the Hybrid Cloud Observability 2023.1 release candidate.”
SolarWinds, vulnerabilities, and latest patches
Here are the patches issued in the latest lot:
CVE-2023-23836: This vulnerability in the SolarWinds Network Performance Monitor could allow remote attackers to execute arbitrary code. However, to exploit this vulnerability, authentication is necessary.
The vulnerability is specifically related to the CredentialInitializer function. The problem arises from inadequate validation of data provided by users, which can lead to the deserialization of untrusted data. An attacker can take advantage of this vulnerability to execute code in the SYSTEM context.
CVE-2022-47507: This vulnerability affects SolarWinds Network Performance Monitor, enabling remote attackers to execute arbitrary code. Authentication is necessary to exploit this vulnerability.
The vulnerability is found in the WorkerProcessWCFProxy function. The problem arises from inadequate validation of data provided by users, which can lead to the deserialization of untrusted data. An attacker can take advantage of this vulnerability to execute code in the SYSTEM context.
CVE-2022-47506: This vulnerability in SolarWinds Network Performance Monitor allows remote attackers to execute arbitrary code on affected installations. Depending on the product configuration, authentication may be required to exploit this vulnerability.
The vulnerability is specifically related to the sshd_SftpRename function. The issue arises from inadequate validation of the path provided by the user before using it in file operations. An attacker can take advantage of this vulnerability to execute code in the SYSTEM context.
CVE-2022-38111: This vulnerability in SolarWinds Orion Platform enables remote attackers to execute arbitrary code on affected installations. However, authentication is necessary to exploit this vulnerability.
The vulnerability is specifically related to the BytesToMessage function. The problem arises from inadequate validation of data provided by users, which can lead to the deserialization of untrusted data. An attacker can take advantage of this vulnerability to execute code in the SYSTEM context.
CVE-2022-47504: This vulnerability in SolarWinds Network Performance Monitor enables remote attackers to execute arbitrary code on affected installations. However, authentication is necessary to exploit this vulnerability.
The vulnerability is specifically related to the SqlFileScript function. The problem arises from inadequate validation of data provided by users, which can lead to the deserialization of untrusted data. An attacker can take advantage of this vulnerability to execute code in the SYSTEM context.
SolarWinds and vulnerability risks
The potential damages that could be caused by exploiting these vulnerabilities depend on the extent to which they are successfully exploited, Beagle Security’s Manindar Mohan told The Cyber Express.
“The severity of the impact would depend on the attacker’s goals and the level of access they are able to gain through the exploitation of these vulnerabilities. In general, it is recommended that affected users update their systems as soon as possible to mitigate the risk of exploitation.”
However, nothing compares to the 2020 cyber attack on the company, he said.
“That hack was a highly sophisticated and coordinated attack that took months to plan and execute.”
SolarWinds urged its customers of upgrade to version 2023.1 as soon as the patch is available. Additionally, it recommended that customers should refer to the SolarWinds Secure Configuration Guide to ensure only authorized users can access the platform.
“Be careful not to expose your SolarWinds Platform website on the public internet. If you must enable outbound internet access from SolarWinds servers, create a strict allow list and block all other traffic,” said the company’s patch notice.