CVE-2022-47506
📋 TL;DR
CVE-2022-47506 is a directory traversal vulnerability in SolarWinds Platform that allows authenticated local attackers to modify default configurations and execute arbitrary commands. This affects organizations using vulnerable SolarWinds Platform versions. Attackers need authenticated access to exploit this vulnerability.
💻 Affected Systems
- SolarWinds Platform
📦 What is this software?
Orion Platform by Solarwinds
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary command execution leading to data theft, lateral movement, or ransomware deployment
Likely Case
Privilege escalation and unauthorized configuration changes allowing persistence and further exploitation
If Mitigated
Limited impact due to strong authentication controls and network segmentation restricting attacker movement
🎯 Exploit Status
Exploitation requires authenticated access but directory traversal to command execution is straightforward
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SolarWinds Platform 2023.1 or later
Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47506
Restart Required: Yes
Instructions:
1. Download SolarWinds Platform 2023.1 or later from SolarWinds customer portal. 2. Backup current configuration. 3. Run installer with administrative privileges. 4. Restart SolarWinds services after installation.
🔧 Temporary Workarounds
Restrict User Access
allLimit authenticated user access to only necessary personnel and implement least privilege principles
Network Segmentation
allIsolate SolarWinds Platform from critical systems and implement strict network access controls
🧯 If You Can't Patch
- Implement strict access controls and multi-factor authentication for all SolarWinds accounts
- Monitor and audit configuration changes and command execution activities on SolarWinds systems
🔍 How to Verify
Check if Vulnerable:
Check SolarWinds Platform version in web interface under Settings > All Settings > Product InformationCheck Version:
In SolarWinds web interface: Settings > All Settings > Product InformationVerify Fix Applied:
Verify version is 2023.1 or later and check vendor advisory for specific patch verification steps📡 Detection & Monitoring
Log Indicators:
- Unauthorized configuration file modifications
- Unusual command execution patterns in SolarWinds logs
- Directory traversal attempts in web server logs
Network Indicators:
- Unexpected outbound connections from SolarWinds servers
- Anomalous authentication patterns to SolarWinds
SIEM Query:
source="solarwinds" AND (event_type="config_change" OR event_type="command_exec") | stats count by user, src_ip🔗 References
- https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-1_release_notes.htm
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47506
- https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-1_release_notes.htm
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47506
