Solarwinds Virtualization Manager 6.3.1 Privilege Escalation

Type packetstorm
Reporter Nate Kettlewell
Modified 2016-06-15T00:00:00


                                            `Product: Solarwinds Virtualization Manager  
Vendor: Solarwinds  
Vulnerable Version(s): < 6.3.1  
Tested Version: 6.3.1  
Vendor Notification: April 25th, 2016  
Vendor Patch Availability to Customers: June 1st, 2016  
Public Disclosure: June 14th, 2016  
Vulnerability Type: Security Misconfiguration  
CVE Reference: CVE-2016-3643  
Risk Level: High  
Solution Status: Solution Available  
Discovered and Provided: Nate Kettlewell, Depth Security ( )  
Advisory Details:  
Depth Security discovered a vulnerability in Solarwinds Virtualization Manager appliance.  
This attack requires a user to have an operating system shell on the vulnerable appliance.  
1) Misconfiguration of sudo in Solarwinds Virtualization Manager: CVE-2016-3643  
The vulnerability exists due to the miconfiguration of sudo in that it allows any local user to use sudo to execute commands as the superuser.  
A local attacker can obtain root privileges to the operating system regardless of privilege level.  
Solarwinds has released a hotfix to remediate this vulnerability on existing installations.  
This flaw as well as several others have been corrected and that release has been put into manufacturing for new appliances.  
Proof of Concept:  
The following is an example of the commands necessary for a low-privileged user to dump the contents of the "/etc/shadow" file by using sudo.  
sudo cat /etc/passwd  
[1] Solarwinds Virtualization Manager- - Solarwinds Virtualization Manager provides monitoring and remediation for virtualized environments.