CVE-2022-47508 – This vulnerability in SolarWinds SAM occurs whe... (How to Fix)

Q: What is the severity of CVE-2022-47508?

CVE-2022-47508 has a CVSS score of 7.5 (HIGH). This vulnerability in SolarWinds SAM occurs when polling via IP address forces NTLM authentication instead of the expected Kerberos, potentially exposing credentials. It affects customers who configured Kerberos authentication for polling but have systems where IP-based queries bypass this. The issue allows attackers to intercept or relay NTLM authentication traffic.

📋 TL;DR

This vulnerability in SolarWinds SAM occurs when polling via IP address forces NTLM authentication instead of the expected Kerberos, potentially exposing credentials. It affects customers who configured Kerberos authentication for polling but have systems where IP-based queries bypass this. The issue allows attackers to intercept or relay NTLM authentication traffic.

💻 Affected Systems

Products:

SolarWinds Server & Application Monitor (SAM)

Versions: Versions prior to SAM 2023.1

Operating Systems: Windows

Default Config Vulnerable: ✅ No

Notes: Only affects configurations where Kerberos authentication was specifically configured for polling, but IP-based queries cause fallback to NTLM.

📦 What is this software?

Server And Application Monitor by Solarwinds

View all CVEs affecting Server And Application Monitor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers intercept NTLM authentication traffic and perform credential relay attacks to gain unauthorized access to SolarWinds SAM or other systems accepting NTLM authentication.

🟠

Likely Case

NTLM traffic appears unexpectedly in environments where only Kerberos was expected, potentially exposing credentials to network sniffing or relay attacks within the network.

🟢

If Mitigated

With proper network segmentation and monitoring, the risk is limited to credential exposure within the monitoring network segment.

🌐 Internet-Facing: LOW - This vulnerability primarily affects internal authentication mechanisms and requires network access to intercept NTLM traffic.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could intercept NTLM traffic and perform relay attacks within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires network access to intercept NTLM traffic and ability to perform NTLM relay attacks. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SAM 2023.1

Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47508

Restart Required: Yes

Instructions:

1. Download SAM 2023.1 or later from SolarWinds Customer Portal. 2. Backup current configuration. 3. Run installer with administrative privileges. 4. Follow upgrade wizard. 5. Restart SAM services after installation.

🔧 Temporary Workarounds

Configure DNS resolution for polling targets

windows

Ensure all polling targets are configured using DNS hostnames instead of IP addresses to maintain Kerberos authentication

Modify polling configuration in SAM web console to use FQDNs instead of IP addresses

Disable NTLM authentication

windows

Configure systems to only accept Kerberos authentication where possible

Set Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM: Incoming NTLM traffic = Deny all

🧯 If You Can't Patch

Implement network segmentation to isolate SolarWinds SAM polling traffic from potential attackers
Enable enhanced monitoring for NTLM authentication events and investigate unexpected NTLM traffic

🔍 How to Verify

Check if Vulnerable:

Check SAM version via web console (Settings > All Settings > Product Information) and verify if using IP addresses for polling targets with Kerberos configured.

Check Version:

In SAM web console: Settings > All Settings > Product Information > Version

Verify Fix Applied:

After upgrading to SAM 2023.1, verify polling is using Kerberos authentication by checking authentication logs and confirming no unexpected NTLM traffic.

📡 Detection & Monitoring

Log Indicators:

Unexpected NTLM authentication events in Windows Security logs (Event ID 4624 with Authentication Package: NTLM)
SAM logs showing authentication failures or fallbacks

Network Indicators:

NTLM authentication traffic on ports 445, 139, or other SMB ports where only Kerberos was expected
Unexpected NTLMSSP packets in network captures

SIEM Query:

source="windows_security" EventID=4624 AuthenticationPackage="NTLM" | stats count by host, user

📊 Metadata

CVE ID: CVE-2022-47508

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-287

Published: February 15, 2023

Last Updated: November 21, 2024

🔗 References

https://documentation.solarwinds.com/en/success_center/sam/content/release_notes/sam_2023-1_release_notes.htm Release Notes
https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47508 Vendor Advisory
https://documentation.solarwinds.com/en/success_center/sam/content/release_notes/sam_2023-1_release_notes.htm Release Notes
https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47508 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-47508, you might also want to check these: