CVE-2016-4350
📋 TL;DR
This CVE describes multiple SQL injection vulnerabilities in SolarWinds Storage Resource Monitor Profiler web services. Attackers can execute arbitrary SQL commands via 34 different parameters across multiple servlets, potentially leading to full system compromise. Affected systems are those running SolarWinds SRM Profiler (formerly Storage Manager) versions before 6.2.3.
💻 Affected Systems
- SolarWinds Storage Resource Monitor Profiler
- SolarWinds Storage Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote attackers can execute arbitrary SQL commands leading to complete database compromise, data theft, privilege escalation, and potential remote code execution on the underlying server.
Likely Case
Attackers can extract sensitive database information, modify or delete data, and potentially gain administrative access to the SolarWinds SRM Profiler system.
If Mitigated
With proper network segmentation and access controls, impact could be limited to the database layer only, preventing lateral movement to other systems.
🎯 Exploit Status
SQL injection vulnerabilities are well-understood attack vectors with many available exploitation tools. The multiple injection points increase attack surface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.2.3
Vendor Advisory: http://www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm
Restart Required: Yes
Instructions:
1. Download SolarWinds SRM Profiler version 6.2.3 or later from the SolarWinds customer portal. 2. Backup current configuration and database. 3. Run the installer to upgrade to the patched version. 4. Restart the SolarWinds SRM Profiler service.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to the SolarWinds SRM Profiler web services port (typically 17778) to only trusted management networks.
Use firewall rules to block port 17778 from untrusted networks
Web Application Firewall
allDeploy a WAF with SQL injection protection rules in front of the SolarWinds SRM Profiler web interface.
🧯 If You Can't Patch
- Isolate the SolarWinds SRM Profiler system on a dedicated management VLAN with strict access controls
- Implement network-based intrusion detection/prevention systems with SQL injection signatures
🔍 How to Verify
Check if Vulnerable:
Check the SolarWinds SRM Profiler version in the web interface under Help > About, or examine the installed version in the Windows Programs list.Check Version:
On Windows: Check installed programs list. On Linux: Check package version or web interface.Verify Fix Applied:
Verify the version is 6.2.3 or later and test that SQL injection attempts against the listed parameters are properly sanitized or blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by SQL syntax in web server logs
- Unexpected database schema changes
Network Indicators:
- SQL injection patterns in HTTP requests to port 17778
- Unusual outbound database connections from the SRM server
SIEM Query:
source="solarwinds_srm" AND (http_request CONTAINS "SELECT" OR http_request CONTAINS "UNION" OR http_request CONTAINS "INSERT" OR http_request CONTAINS "DELETE")🔗 References
- http://www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm
- http://www.zerodayinitiative.com/advisories/ZDI-16-249
- http://www.zerodayinitiative.com/advisories/ZDI-16-250
- http://www.zerodayinitiative.com/advisories/ZDI-16-251
- http://www.zerodayinitiative.com/advisories/ZDI-16-252
- http://www.zerodayinitiative.com/advisories/ZDI-16-253
- http://www.zerodayinitiative.com/advisories/ZDI-16-254
- http://www.zerodayinitiative.com/advisories/ZDI-16-255
- http://www.zerodayinitiative.com/advisories/ZDI-16-256
- http://www.zerodayinitiative.com/advisories/ZDI-16-257
- http://www.zerodayinitiative.com/advisories/ZDI-16-258
- http://www.zerodayinitiative.com/advisories/ZDI-16-259
- http://www.zerodayinitiative.com/advisories/ZDI-16-260
- http://www.zerodayinitiative.com/advisories/ZDI-16-261
- http://www.zerodayinitiative.com/advisories/ZDI-16-262
- http://www.zerodayinitiative.com/advisories/ZDI-16-263
- http://www.zerodayinitiative.com/advisories/ZDI-16-264
- http://www.zerodayinitiative.com/advisories/ZDI-16-265
- http://www.zerodayinitiative.com/advisories/ZDI-16-266
- http://www.zerodayinitiative.com/advisories/ZDI-16-267
- http://www.zerodayinitiative.com/advisories/ZDI-16-268
- http://www.zerodayinitiative.com/advisories/ZDI-16-269
- http://www.zerodayinitiative.com/advisories/ZDI-16-270
- http://www.zerodayinitiative.com/advisories/ZDI-16-271
- http://www.zerodayinitiative.com/advisories/ZDI-16-272
- http://www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm
- http://www.zerodayinitiative.com/advisories/ZDI-16-249
- http://www.zerodayinitiative.com/advisories/ZDI-16-250
- http://www.zerodayinitiative.com/advisories/ZDI-16-251
- http://www.zerodayinitiative.com/advisories/ZDI-16-252
- http://www.zerodayinitiative.com/advisories/ZDI-16-253
- http://www.zerodayinitiative.com/advisories/ZDI-16-254
- http://www.zerodayinitiative.com/advisories/ZDI-16-255
- http://www.zerodayinitiative.com/advisories/ZDI-16-256
- http://www.zerodayinitiative.com/advisories/ZDI-16-257
- http://www.zerodayinitiative.com/advisories/ZDI-16-258
- http://www.zerodayinitiative.com/advisories/ZDI-16-259
- http://www.zerodayinitiative.com/advisories/ZDI-16-260
- http://www.zerodayinitiative.com/advisories/ZDI-16-261
- http://www.zerodayinitiative.com/advisories/ZDI-16-262
- http://www.zerodayinitiative.com/advisories/ZDI-16-263
- http://www.zerodayinitiative.com/advisories/ZDI-16-264
- http://www.zerodayinitiative.com/advisories/ZDI-16-265
- http://www.zerodayinitiative.com/advisories/ZDI-16-266
- http://www.zerodayinitiative.com/advisories/ZDI-16-267
- http://www.zerodayinitiative.com/advisories/ZDI-16-268
- http://www.zerodayinitiative.com/advisories/ZDI-16-269
- http://www.zerodayinitiative.com/advisories/ZDI-16-270
- http://www.zerodayinitiative.com/advisories/ZDI-16-271
- http://www.zerodayinitiative.com/advisories/ZDI-16-272
