[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] CVE-2016-3643 - Misconfiguration of sudo in Solarwinds Virtualization Manager
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] CVE-2016-3643 - Misconfiguration of sudo in Solarwinds Virtualization Manager
- From: Nate Kettlewell <nate@xxxxxxxxxxxxxxxxx>
- Date: Wed, 15 Jun 2016 13:57:55 +0000
Product: Solarwinds Virtualization Manager
Vendor: Solarwinds
Vulnerable Version(s): < 6.3.1
Tested Version: 6.3.1
Vendor Notification: April 25th, 2016
Vendor Patch Availability to Customers: June 1st, 2016
Public Disclosure: June 14th, 2016
Vulnerability Type: Security Misconfiguration
CVE Reference: CVE-2016-3643
Risk Level: High
CVSSv3 Base Score: 7.8
(CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:W/RC:C/CR:M/IR:M/AR:M/MAV:L/MAC:L/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:H)
Solution Status: Solution Available
Discovered and Provided: Nate Kettlewell, Depth Security (
https://www.depthsecurity.com/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
Depth Security discovered a vulnerability in Solarwinds Virtualization Manager
appliance.
This attack requires a user to have an operating system shell on the vulnerable
appliance.
1) Misconfiguration of sudo in Solarwinds Virtualization Manager: CVE-2016-3643
The vulnerability exists due to the miconfiguration of sudo in that it allows
any local user to use sudo to execute commands as the superuser.
A local attacker can obtain root privileges to the operating system regardless
of privilege level.
-----------------------------------------------------------------------------------------------
Solution:
Solarwinds has released a hotfix to remediate this vulnerability on existing
installations.
This flaw as well as several others have been corrected and that release has
been put into manufacturing for new appliances.
-----------------------------------------------------------------------------------------------
Proof of Concept:
The following is an example of the commands necessary for a low-privileged user
to dump the contents of the "/etc/shadow" file by using sudo.
sudo cat /etc/passwd
-----------------------------------------------------------------------------------------------
References:
[1] Solarwinds Virtualization Manager-
http://www.solarwinds.com/virtualization-manager - Solarwinds Virtualization
Manager provides monitoring and remediation for virtualized environments.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/