Solarwinds Virtualization Manager 6.3.1 Java Deserialization

`Java Deserialization in Solarwinds Virtualization Manager 6.3.1  
  
Product: Solarwinds Virtualization Manager  
Vendor: Solarwinds  
Vulnerable Version(s): < 6.3.1  
Tested Version: 6.3.1  
  
Vendor Notification: April 25th, 2016  
Vendor Patch Availability to Customers: June 1st, 2016  
Public Disclosure: June 14th, 2016  
  
Vulnerability Type: Deserialization of Untrusted Data [CWE-502]  
CVE Reference: CVE-2016-3642  
Risk Level: High  
CVSSv2 Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)  
Solution Status: Solution Available  
  
Discovered and Provided: Nate Kettlewell, Depth Security ( https://www.depthsecurity.com/ )  
  
-----------------------------------------------------------------------------------------------  
  
Advisory Details:  
  
Depth Security discovered a vulnerability in Solarwinds Virtualization Manager Java RMI service. This attack does not require authentication of any kind.  
  
1) Deserialization of Untrusted Data in Solarwinds Virtualization Manager: CVE-2016-3642  
  
The vulnerability exists due to the deserialization of untrusted data in the RMI service running on port 1099/TCP.  
A remote attacker can execute operating system commands as an unprivileged user.  
  
-----------------------------------------------------------------------------------------------  
  
Solution:  
  
Solarwinds has released a hotfix to remediate this vulnerability on existing installations.  
  
This flaw as well as several others have been corrected and that release has been put into manufacturing for new appliances.  
  
-----------------------------------------------------------------------------------------------  
  
Proof of Concept:  
  
The following is an example of the usage of the "ysoserial" tool to execute operating system commands against the 10.10.10.10 host.  
  
java -cp ysoserial-0.0.2-all.jar ysoserial.RMIRegistryExploit 10.10.10.10 1099 CommonsCollections1 'OS COMMANDS HERE'  
  
-----------------------------------------------------------------------------------------------  
  
References:  
  
[1] Solarwinds Virtualization Manager- http://www.solarwinds.com/virtualization-manager - Solarwinds Virtualization Manager provides monitoring and remediation for virtualized environments.  
[2] Common Weakness Enumeration (CWE) - http://cwe.mitre.org/ - Targeted to developers and security practitioners, CWE is a formal list of software weakness types.  
  
  
`