CVE-2017-7722
published 2017-04-12CVE-2017-7722: In SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4, a menu system is encountered when the SSH service is accessed with "cmc" and "password" (the…
PriorityP272critical10CVSS 3.0
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
12.73%
95.8th percentile
In SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4, a menu system is encountered when the SSH service is accessed with "cmc" and "password" (the default username and password). By exploiting a vulnerability in the restrictssh feature of the menuing script, an attacker can escape from the restricted shell.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | log_event_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SSH authentication attempts to SolarWinds LEM using the default credentials: username 'cmc' and password 'password'. Successful logins with these credentials should be treated as a high-confidence indicator of exploitation. ↗
- →Monitor for restricted shell escape activity on SolarWinds LEM SSH sessions, specifically abuse of the 'restrictssh' feature within the menuing script. ↗
- →Flag SolarWinds LEM instances running version 6.3.1 or earlier (before 6.3.1 Hotfix 4) with SSH exposed, as they are vulnerable to this restricted shell escape leading to remote code execution. ↗
- ·The default credentials ('cmc'/'password') are hardcoded in the product and are the prerequisite for exploitation. Changing or disabling these credentials mitigates the attack vector. ↗
- ·The vulnerability is patched in SolarWinds LEM 6.3.1 Hotfix 4 and later. Unpatched instances with SSH exposed to untrusted networks are at critical risk. ↗
CVSS provenance
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fgrm-fppr-4fwr: In SolarWinds Log & Event Manager (LEM) before 6
ghsa_unreviewed·2022-05-17
CVE-2017-7722 [CRITICAL] CWE-77 GHSA-fgrm-fppr-4fwr: In SolarWinds Log & Event Manager (LEM) before 6
In SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4, a menu system is encountered when the SSH service is accessed with "cmc" and "password" (the default username and password). By exploiting a vulnerability in the restrictssh feature of the menuing script, an attacker can escape from the restricted shell.
GHSA
Improper Restriction of XML External Entity Reference in PMD
ghsa·2022-05-14
CVE-2019-7722 [HIGH] CWE-611 Improper Restriction of XML External Entity Reference in PMD
Improper Restriction of XML External Entity Reference in PMD
PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. (PMD 6.x is unaffected because of a 2017-09-15 change.)
No detection rules found.
No writeups or analysis indexed.
https://pentest.blog/unexpected-journey-4-escaping-from-restricted-shell-and-gaining-root-access-to-solarwinds-log-event-manager-siem-product/https://thwack.solarwinds.com/thread/111223https://pentest.blog/unexpected-journey-4-escaping-from-restricted-shell-and-gaining-root-access-to-solarwinds-log-event-manager-siem-product/https://thwack.solarwinds.com/thread/111223
2017-04-12
Published