CVE-2016-3643
published 2016-06-17CVE-2016-3643: SolarWinds Virtualization Manager 6.3.1 and earlier allow local users to gain privileges by leveraging a misconfiguration of sudo, as demonstrated by "sudo cat…
PriorityP180high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
3.70%
88.4th percentile
SolarWinds Virtualization Manager 6.3.1 and earlier allow local users to gain privileges by leveraging a misconfiguration of sudo, as demonstrated by "sudo cat /etc/passwd."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | virtualization_manager | <= 6.3.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for low-privileged users invoking 'sudo' to execute commands such as 'cat /etc/passwd' or 'cat /etc/shadow' on SolarWinds Virtualization Manager appliances, which indicates abuse of the misconfigured sudo policy. ↗
- →Audit sudoers configuration on SolarWinds Virtualization Manager appliances for overly permissive rules that allow any local user to execute arbitrary commands as superuser. ↗
- →This attack requires an OS-level shell on the appliance; correlate with any interactive shell sessions or SSH logins by non-administrative accounts on the Virtualization Manager appliance. ↗
- ·Exploitation is local only — an attacker must already have an OS shell on the SolarWinds Virtualization Manager appliance before leveraging the sudo misconfiguration. ↗
- ·Affected versions are SolarWinds Virtualization Manager 6.3.1 and earlier; versions after the hotfix/manufacturing release are not vulnerable. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fww7-75jj-wj62: SolarWinds Virtualization Manager 6
ghsa_unreviewed·2022-05-17
CVE-2016-3643 [HIGH] GHSA-fww7-75jj-wj62: SolarWinds Virtualization Manager 6
SolarWinds Virtualization Manager 6.3.1 and earlier allow local users to gain privileges by leveraging a misconfiguration of sudo, as demonstrated by "sudo cat /etc/passwd."
VulnCheck
SolarWinds Virtualization Manager Privilege Escalation Vulnerability
vulncheck·2016·CVSS 7.8
CVE-2016-3643 [HIGH] CWE-264 SolarWinds Virtualization Manager Privilege Escalation Vulnerability
SolarWinds Virtualization Manager Privilege Escalation Vulnerability
SolarWinds Virtualization Manager allows for privilege escalation through leveraging a misconfiguration of sudo.
Affected: SolarWinds Virtualization Manager
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-05-03
CISA
SolarWinds Virtualization Manager Privilege Escalation Vulnerability
cisa·2021-11-03·CVSS 7.8
CVE-2016-3643 [HIGH] CWE-264 SolarWinds Virtualization Manager Privilege Escalation Vulnerability
Vulnerability: SolarWinds Virtualization Manager Privilege Escalation Vulnerability
Affected: SolarWinds Virtualization Manager
SolarWinds Virtualization Manager allows for privilege escalation through leveraging a misconfiguration of sudo.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2016-3643
Remediation Due Date: 2022-05-03
No detection rules found.
http://packetstormsecurity.com/files/137487/Solarwinds-Virtualization-Manager-6.3.1-Privilege-Escalation.htmlhttp://seclists.org/fulldisclosure/2016/Jun/26https://www.exploit-db.com/exploits/39967/http://packetstormsecurity.com/files/137487/Solarwinds-Virtualization-Manager-6.3.1-Privilege-Escalation.htmlhttp://seclists.org/fulldisclosure/2016/Jun/26https://www.exploit-db.com/exploits/39967/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3643
2016-06-17
Published
2021-11-03
Added to CISA KEV
Exploited in the wild