Description
A critical vulnerability has been identified in the XML parser component of SolarWinds Security Event Manager. This vulnerability allows an unauthenticated user to abuse SolarWinds’ service, resulting in remote code execution.
Affected Product(s)
- SolarWinds Security Event Manager, versions prior to 2023.4.1
Technical Details
SolarWinds Security Event Manager (SEM) is a widely used log and event manager designed to provide efficient security monitoring, threat visibility, and compliance reporting. It streamlines the collection, analysis, and management of log data to help organizations identify security threats and adhere to various regulatory standards. However, a critical vulnerability (CVE-2024-0692) has been discovered in its XML parser component, which allows unauthenticated attackers to remotely execute arbitrary code on the SEM system through deserialization of untrusted data.
The vulnerability stems from the improper handling of Action Message Format (AMF) data. AMF is a binary format used to serialize and deserialize data, such as objects and messages, primarily in Adobe Flash applications. SEM employs Apache Flex BlazeDS (version 4.7.3) for data communication, which supports AMF serialization and deserialization. However, the affected version of BlazeDS contains insecure configuration settings that permit the deserialization of potentially dangerous classes. The services-config.xml file in SEM defines various endpoints for AMF data processing. For instance, the endpoint located at /services/messagebroker/streamingamf allows the processing of incoming AMF requests through the ManagedSecureStreamingAmfEndpoint class.
Unfortunately, the configuration permits the deserialization of any class, as indicated by the wildcard pattern (.*) set in the allow-classes property within the ClassDeserializationValidator section. This loose policy enables attackers to exploit deserialization flaws by sending crafted AMF payloads that may include arbitrary classes resulting in malicious execution. BlazeDS 4.7.3 attempts to mitigate deserialization risks by default, but SEM’s configuration overrides these safeguards, allowing the deserialization of arbitrary objects.
Attackers can leverage this by constructing a malicious AMF payload containing a serialized object of a class that supports unsafe deserialization. When the SEM system processes this payload, it will inadvertently execute deserialized code.
In a proof of concept (PoC) exploit, an attacker may use publicly available tools to create and send a malicious AMF payload to the /services/messagebroker/streamingamf endpoint. The payload could include a serialized object that triggers code execution upon deserialization. For example, an object of the HikariConfig class (from the HikariCP library) can be used to inject a JNDI reference, leading to further exploitation, such as remote method invocation or JDBC URL attacks. This technique enables attackers to circumvent existing security measures and gain access to sensitive parts of the SEM system.
Upon successful exploitation, the attacker can run arbitrary commands on the target server with the privileges of the SEM service user. This could result in data exfiltration, system destruction, lateral movement within the network, and potentially deploying ransomware.
The vulnerability underscores the critical need for secure configuration and proper management of deserialization mechanisms within software applications. Security patches and configuration best practices are essential to prevent exploitation and protect systems from such remote code execution vulnerabilities.
Weakness
The weakness associated with this vulnerability is the deserialization of untrusted data (CWE-502). This occurs when software deserializes data from an untrusted source without proper validation, allowing attackers to manipulate serialized objects and execute arbitrary code.
Impact Assessment
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data or execute arbitrary code on the affected system. The potential consequences include data breaches, system compromise, lateral movement within the network, and the deployment of ransomware or other malicious software.
Active Exploitation
We have observed activity from adversarial groups leveraging this vulnerability. Specifically, the adversary group has been noted for targeting similar vulnerabilities in the past to gain unauthorized access and execute arbitrary code on compromised systems.
Ransomware Association
The vulnerability has been linked to ransomware attacks, specifically targeting the deployment of ransomware through the exploitation of SEM systems. Attackers use this vulnerability to gain initial access, elevate privileges, and deploy ransomware, thereby encrypting critical data and demanding ransom from the affected organization.
Mitigation and Resolution
We have released a patch that addresses this vulnerability. Please update to version 2023.4.1 immediately. This update includes fixes that secure the deserialization process and enforce stricter controls over class types that can be deserialized, thus mitigating the risk of code execution exploits.
Recommendations
- We strongly recommend that all customers apply the latest patch as soon as possible.
- To apply the patch, log in to the SolarWinds SEM administration console, navigate to the updates section, and follow the instructions to update to version 2023.4.1.
- In addition to patching, review and harden SEM configurations to restrict the deserialization of untrusted classes.
- Modify the services-config.xml file to limit the classes allowed for deserialization by updating the ClassDeserializationValidator section to include only trusted classes.
- Regularly review and audit system logs to detect any anomalous activities indicating potential exploitation attempts.
- Implement network segmentation and appropriate access controls to limit the exposure of critical systems and sensitive data.
- Stay informed about emerging vulnerabilities and apply security updates promptly to ensure continued protection.
References
- CheckPoint Advisories
- CVE MITRE Details
- NHS UK Cyber Alerts
- SolarWinds Security Advisories 1
- NVD Database
- ZeroDay Advisories
- SolarWinds Documentation
- SolarWinds Security Advisories 2