Attacker Value

Low

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2022-38108

Disclosure Date: October 19, 2022 •

CVE-2022-38108 CVSS v3 Base Score: 7.2

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Metasploit Module

exploit/windows/misc/solarwinds_amqp_deserialization

Common in enterprise Easy to weaponize Gives privileged access Vulnerable in default configuration Authenticated Requires elevated access

Description

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Add Assessment

zeroSteiner (315)

March 17, 2023 6:23pm UTC (8 months ago)

Ratings

Attacker Value

Low

Exploitability

Very High

Common in enterprise Easy to weaponize Gives privileged access Vulnerable in default configuration Authenticated Requires elevated access

Technical Analysis

The SolarWinds Information Service (SWIS) is vulnerable to RCE by way of a crafted message received through the AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\SYSTEM.

In order to authenticate to the AMQP service, a user would need to already have admin access to add a RabbitMQ user, or have recovered the credentials to the orion account that SolarWinds sets up automatically. For that reason, I’ve marked this as “Authenticated” and “Requires elevated access” because the orion account is not any ordinary user.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.2 High

Impact Score:

5.9

Exploitability Score:

1.2

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

High

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

solarwinds

Products

orion platform,
orion platform 2020.2.6,
orion platform 2022.2,
orion platform 2022.3

Metasploit Modules

exploit/windows/misc/solarwinds_amqp_deserialization (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/solarwinds_amqp_deserialization.rb)

References

Canonical

CVE-2022-38108 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38108)

Miscellaneous

https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38108

https://www.zerodayinitiative.com/advisories/ZDI-CAN-17531

http://packetstormsecurity.com/files/171567/SolarWinds-Information-Service-SWIS-Remote-Command-Execution.html

Rapid7

Low

CVE-2022-38108

Low

Very High

None

High

Network

CVE-2022-38108

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Low

CVE-2022-38108

Low

Very High

None

High

Network

CVE-2022-38108

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification