CVE-2022-38108
published 2022-10-20CVE-2022-38108: SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account…
PriorityP272high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
69.55%
99.3th percentile
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | orion_platform | < 2020.2.6 | 2020.2.6 |
| solarwinds | orion_platform | — | — |
| solarwinds | orion_platform | — | — |
| solarwinds | orion_platform | — | — |
| solarwinds | orion_platform | unspecified – 2020.2.6 HF5 and prior versions | — |
| solarwinds | solarwinds_platform | unspecified – 2022.3 and prior versions | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor AMQP message queue traffic (typically port 5671/5672) for crafted messages containing serialized .NET objects originating from authenticated but unauthorized or suspicious users targeting the SolarWinds Information Service (SWIS). ↗
- →Alert on unexpected child processes spawned by the SolarWinds Information Service (SWIS) process running as NT AUTHORITY\SYSTEM, which may indicate successful .NET deserialization RCE exploitation. ↗
- →Detect exploitation attempts via the SolarWinds Web Console by monitoring for Orion admin-level account activity that triggers deserialization of untrusted data payloads. ↗
- ·Exploitation requires valid authentication to the AMQP service; restrict AMQP access to trusted hosts only and enforce strong credential controls for Orion admin accounts. ↗
- ·The attack vector requires Orion admin-level account access to the SolarWinds Web Console, meaning compromised or insider admin credentials are a prerequisite for exploitation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Trendmicro
Finding Deserialization Bugs in the SolarWinds Platform
blogs_trendmicro·2023-09-21·CVSS 7.2
[HIGH] Finding Deserialization Bugs in the SolarWinds Platform
## Finding Deserialization Bugs in the SolarWinds Platform
How to find deserialization bugs in the SolarWinds platform.
By: Zero Day Initiative Sep 21, 2023 Read time: ( words)
Save to Folio
It’s been a while since I have written a blog post, please accept my sincerest apologies. This is because a lot of fun stuff that I’ve recently done is going to be presented during conferences.
Please treat this post as a small introduction to my upcoming Hexacon 2023 talk titled “Exploiting Hardened .NET Deserialization: New Exploitation Ideas and Abuse of Insecure Serialization”. The entire talk and research was inspired by two small research projects, one of which focused on issues in SolarWinds deserialization.
In this blog post, I would like to present four old vulnerabilities that were fixe
Trendmicro
Finding Deserialization Bugs in the SolarWinds Platform
blogs_trendmicro·2023-09-21·CVSS 7.2
[HIGH] Finding Deserialization Bugs in the SolarWinds Platform
# Finding Deserialization Bugs in the SolarWinds Platform
How to find deserialization bugs in the SolarWinds platform.
By: Zero Day Initiative
2023/09/21
Read time: ( words)
Save to Folio
It’s been a while since I have written a blog post, please accept my sincerest apologies. This is because a lot of fun stuff that I’ve recently done is going to be presented during conferences.
Please treat this post as a small introduction to my upcoming Hexacon 2023 talk titled “Exploiting Hardened .NET Deserialization: New Exploitation Ideas and Abuse of Insecure Serialization”. The entire talk and research was inspired by two small research projects, one of which focused on issues in SolarWinds deserialization.
In this blog post, I would like to present four old vulnerabilities that were fixed
Trendmicro
Finding Deserialization Bugs in the SolarWinds Platform
blogs_trendmicro·2023-09-21·CVSS 7.2
[HIGH] Finding Deserialization Bugs in the SolarWinds Platform
## Finding Deserialization Bugs in the SolarWinds Platform
How to find deserialization bugs in the SolarWinds platform.
By: Zero Day Initiative 2023/09/21 Read time: ( words)
Save to Folio
It’s been a while since I have written a blog post, please accept my sincerest apologies. This is because a lot of fun stuff that I’ve recently done is going to be presented during conferences.
Please treat this post as a small introduction to my upcoming Hexacon 2023 talk titled “Exploiting Hardened .NET Deserialization: New Exploitation Ideas and Abuse of Insecure Serialization”. The entire talk and research was inspired by two small research projects, one of which focused on issues in SolarWinds deserialization.
In this blog post, I would like to present four old vulnerabilities that were fixed
http://packetstormsecurity.com/files/171567/SolarWinds-Information-Service-SWIS-Remote-Command-Execution.htmlhttps://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38108https://www.zerodayinitiative.com/advisories/ZDI-CAN-17531http://packetstormsecurity.com/files/171567/SolarWinds-Information-Service-SWIS-Remote-Command-Execution.htmlhttps://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38108https://www.zerodayinitiative.com/advisories/ZDI-CAN-17531https://packetstorm.news/files/id/171567
2022-10-20
Published