Title:

SolarWinds Log & Event Manager – Arbitrary Command Injection

Release Date:

May 12, 2017

Patch Date:

April 10, 2017

Reported Date:

February 7, 2017

Vendor:

SolarWinds

Systems Affected:

SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4

Summary:

The Bishop Fox assessment team discovered an arbitrary command injection vulnerability within the SolarWinds’ Log & Event Manager (LEM) management console (CMC). The CMC is a restricted environment providing functionality for upgrading or maintaining LEM appliances. This vulnerability allows an authenticated user to bypass restrictions imposed by the CMC and execute arbitrary commands on the vulnerable system as the root user.

Vendor Status:

The vendor has been notified and has issued patches.

Exploit Availability:

To demonstrate the impact of this vulnerability, the assessment team injected syntax to break out of the LEM application and execute a system shell:

As shown in this above proof of concept, the research team fully compromised the affected system by exploiting this vulnerability.

Researcher:

Baker Hamilton, MD, MMSc of Bishop Fox

For Reference:

CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

CVE – CVE-2017-7647

LEM V6.3.1 HOT FIX 4 IS NOW AVAILABLE

The team at Bishop Fox would like to thank SolarWinds for their cooperation in quickly resolving this matter!