SolarWinds Security Event Manager (SEM) update for third-party components



Published: 2024-03-06
Risk High
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2023-48795
CVE-2023-3961
CVE-2023-4154
CVE-2023-42670
CWE-ID CWE-326
CWE-285
CWE-200
CWE-399
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Security Event Manager (SEM)
Server applications / Other server solutions

Vendor SolarWinds

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Inadequate encryption strength

EUVDB-ID: #VU84537

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-48795

CWE-ID: CWE-326 - Inadequate Encryption Strength

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to incorrect implementation of the SSH Binary Packet Protocol (BPP), which mishandles the handshake phase and the use of sequence numbers. A remote attacker can perform MitM attack and delete the SSH2_MSG_EXT_INFO message sent before authentication starts, allowing the attacker to disable a subset of the keystroke timing obfuscation features introduced in OpenSSH 9.5.

The vulnerability was dubbed "Terrapin attack" and it affects both client and server implementations.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Security Event Manager (SEM): 6.7.2 - 2023.4

External links

http://documentation.solarwinds.com/en/Success_Center/SEM/Content/release_notes/sem_2023-4-1_release_notes.htm


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper Authorization

EUVDB-ID: #VU81875

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-3961

CWE-ID: CWE-285 - Improper Authorization

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation when handling client pipe names. A remote attacker can provide a specially crafted pipe name containing directory traversal characters and force Samba to connect to Unix domain sockets outside of the private directory meant to restrict the services a client could connect to.The connection to Unix domain sockets is performed as root, which means that if client sends a pipe name that resolved to an external service using an existing Unix domain socket, the client is able to connect to it without any filesystem restrictions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Security Event Manager (SEM): 6.7.2 - 2023.4

External links

http://documentation.solarwinds.com/en/Success_Center/SEM/Content/release_notes/sem_2023-4-1_release_notes.htm


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Information disclosure

EUVDB-ID: #VU81874

Risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4154

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to a design error in Samba's implementation of the DirSync control, which can allow replication of critical domain passwords and secrets by Active Directory accounts authorized to do some replication, but not to replicate sensitive attributes. A remote user can obtain sensitive information from the AD DC and compromise the Active Directory.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Security Event Manager (SEM): 6.7.2 - 2023.4

External links

http://documentation.solarwinds.com/en/Success_Center/SEM/Content/release_notes/sem_2023-4-1_release_notes.htm


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Resource management error

EUVDB-ID: #VU81867

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-42670

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when Samba RPC server is under load, which can lead to incorrect start of servers not built for the AD DC. A remote user can cause a high load to Samba RPC server and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Security Event Manager (SEM): 6.7.2 - 2023.4

External links

http://documentation.solarwinds.com/en/Success_Center/SEM/Content/release_notes/sem_2023-4-1_release_notes.htm


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###