Solarwinds Virtualization Manager 6.3.1 Java Deserialization

🗓️ 15 Jun 2016 00:00:00Reported by Nate KettlewellType

packetstorm🔗 packetstormsecurity.com👁 75 Views

Java Deserialization in Solarwinds Virtualization Manager 6.3.1, Remote Code Executio

Reporter	Title	Published	Views	Family All 10
Circl	CVE-2016-3642	7 Jan 202407:56	–	circl
CNVD	Citrix Systems NetScaler ADC and Gateway Information Disclosure Vulnerability (CNVD-2016-02416)	20 Apr 201600:00	–	cnvd
Check Point Advisories	Solarwinds Virtualization Manager Apache Commons Collections Insecure Deserialization (CVE-2016-3642)	10 Aug 201600:00	–	checkpoint_advisories
CVE	CVE-2016-3642	17 Jun 201615:00	–	cve
Cvelist	CVE-2016-3642	17 Jun 201615:00	–	cvelist
Imperva Blog	Deserialization Attacks Surge Motivated by Illegal Crypto-mining	24 Jan 201817:45	–	impervablog
NVD	CVE-2016-3642	17 Jun 201615:59	–	nvd
OpenVAS	RMI Java Deserialization RCE Vulnerability (Jun 2016) - Active Check	15 Jun 201600:00	–	openvas
Prion	Design/Logic Flaw	17 Jun 201615:59	–	prion
Tenable Nessus	SolarWinds Virtualization Manager Java Object Deserialization RCE	13 Jul 201600:00	–	nessus

`Java Deserialization in Solarwinds Virtualization Manager 6.3.1  
  
Product: Solarwinds Virtualization Manager  
Vendor: Solarwinds  
Vulnerable Version(s): < 6.3.1  
Tested Version: 6.3.1  
  
Vendor Notification: April 25th, 2016  
Vendor Patch Availability to Customers: June 1st, 2016  
Public Disclosure: June 14th, 2016  
  
Vulnerability Type: Deserialization of Untrusted Data [CWE-502]  
CVE Reference: CVE-2016-3642  
Risk Level: High  
CVSSv2 Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)  
Solution Status: Solution Available  
  
Discovered and Provided: Nate Kettlewell, Depth Security ( https://www.depthsecurity.com/ )  
  
-----------------------------------------------------------------------------------------------  
  
Advisory Details:  
  
Depth Security discovered a vulnerability in Solarwinds Virtualization Manager Java RMI service. This attack does not require authentication of any kind.  
  
1) Deserialization of Untrusted Data in Solarwinds Virtualization Manager: CVE-2016-3642  
  
The vulnerability exists due to the deserialization of untrusted data in the RMI service running on port 1099/TCP.  
A remote attacker can execute operating system commands as an unprivileged user.  
  
-----------------------------------------------------------------------------------------------  
  
Solution:  
  
Solarwinds has released a hotfix to remediate this vulnerability on existing installations.  
  
This flaw as well as several others have been corrected and that release has been put into manufacturing for new appliances.  
  
-----------------------------------------------------------------------------------------------  
  
Proof of Concept:  
  
The following is an example of the usage of the "ysoserial" tool to execute operating system commands against the 10.10.10.10 host.  
  
java -cp ysoserial-0.0.2-all.jar ysoserial.RMIRegistryExploit 10.10.10.10 1099 CommonsCollections1 'OS COMMANDS HERE'  
  
-----------------------------------------------------------------------------------------------  
  
References:  
  
[1] Solarwinds Virtualization Manager- http://www.solarwinds.com/virtualization-manager - Solarwinds Virtualization Manager provides monitoring and remediation for virtualized environments.  
[2] Common Weakness Enumeration (CWE) - http://cwe.mitre.org/ - Targeted to developers and security practitioners, CWE is a formal list of software weakness types.  
  
  
`

15 Jun 2016 00:00Current

0.1Low risk

Vulners AI Score0.1

EPSS0.22376