[<prev] [next>] [day] [month] [year] [list]
Message-ID: <DM3PR17MB05401D2953CCCAAD3EDC5DF6D0550@DM3PR17MB0540.namprd17.prod.outlook.com>
Date: Wed, 15 Jun 2016 13:59:06 +0000
From: Nate Kettlewell <nate@...thsecurity.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] CVE-2016-3642 - Java Deserialization in Solarwinds
Virtualization Manager 6.3.1
Java Deserialization in Solarwinds Virtualization Manager 6.3.1
Product: Solarwinds Virtualization Manager
Vendor: Solarwinds
Vulnerable Version(s): < 6.3.1
Tested Version: 6.3.1
Vendor Notification: April 25th, 2016
Vendor Patch Availability to Customers: June 1st, 2016
Public Disclosure: June 14th, 2016
Vulnerability Type: Deserialization of Untrusted Data [CWE-502]
CVE Reference: CVE-2016-3642
Risk Level: High
CVSSv2 Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Solution Status: Solution Available
Discovered and Provided: Nate Kettlewell, Depth Security ( https://www.depthsecurity.com/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
Depth Security discovered a vulnerability in Solarwinds Virtualization Manager Java RMI service. This attack does not require authentication of any kind.
1) Deserialization of Untrusted Data in Solarwinds Virtualization Manager: CVE-2016-3642
The vulnerability exists due to the deserialization of untrusted data in the RMI service running on port 1099/TCP.
A remote attacker can execute operating system commands as an unprivileged user.
-----------------------------------------------------------------------------------------------
Solution:
Solarwinds has released a hotfix to remediate this vulnerability on existing installations.
This flaw as well as several others have been corrected and that release has been put into manufacturing for new appliances.
-----------------------------------------------------------------------------------------------
Proof of Concept:
The following is an example of the usage of the "ysoserial" tool to execute operating system commands against the 10.10.10.10 host.
java -cp ysoserial-0.0.2-all.jar ysoserial.RMIRegistryExploit 10.10.10.10 1099 CommonsCollections1 'OS COMMANDS HERE'
-----------------------------------------------------------------------------------------------
References:
[1] Solarwinds Virtualization Manager- http://www.solarwinds.com/virtualization-manager - Solarwinds Virtualization Manager provides monitoring and remediation for virtualized environments.
[2] Common Weakness Enumeration (CWE) - http://cwe.mitre.org/ - Targeted to developers and security practitioners, CWE is a formal list of software weakness types.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists