CVE-2016-3643

unknown KEV

Published 2021-11-03 · Modified 2021-11-03

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

2.5

Description

SolarWinds Virtualization Manager allows for privilege escalation through leveraging a misconfiguration of sudo.

CISA KEV

Vendor: SolarWinds
Product: Virtualization Manager
Due date: 2022-05-03

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-39967 local linux text · 2 KB

Nate Kettlewell · 2016-06-16

SolarWinds Virtualization Manager - Local Privilege Escalation

text exploit Source: Exploit-DB

Product: Solarwinds Virtualization Manager

Vendor: Solarwinds
Vulnerable Version(s): < 6.3.1
Tested Version: 6.3.1

Vendor Notification: April 25th, 2016
Vendor Patch Availability to Customers: June 1st, 2016
Public Disclosure: June 14th, 2016

Vulnerability Type: Security Misconfiguration
CVE Reference: CVE-2016-3643
Risk Level: High
CVSSv2 Base Score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:W/RC:C/CR:M/IR:M/AR:M/MAV:L/MAC:L/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:H)
Solution Status: Solution Available

Discovered and Provided: Nate Kettlewell, Depth Security ( https://www.depthsecurity.com/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

Depth Security discovered a vulnerability in Solarwinds Virtualization Manager appliance.
This attack requires a user to have an operating system shell on the vulnerable appliance.

1) Misconfiguration of sudo in Solarwinds Virtualization Manager: CVE-2016-3643

The vulnerability exists due to the miconfiguration of sudo in that it allows any local user to use sudo to execute commands as the superuser.
A local attacker can obtain root privileges to the operating system regardless of privilege level.

-----------------------------------------------------------------------------------------------

Solution:

Solarwinds has released a hotfix to remediate this vulnerability on existing installations.

This flaw as well as several others have been corrected and that release has been put into manufacturing for new appliances.

-----------------------------------------------------------------------------------------------

Proof of Concept:

The following is an example of the commands necessary for a low-privileged user to dump the contents of the "/etc/shadow" file by using sudo.

sudo cat /etc/passwd

-----------------------------------------------------------------------------------------------

References:

[1] Solarwinds Virtualization Manager- http://www.solarwinds.com/virtualization-manager - Solarwinds Virtualization Manager provides monitoring and remediation for virtualized environments.

References

https://nvd.nist.gov/vuln/detail/CVE-2016-3643

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.