CVE-2023-23842 – CVE-2023-23842 is a directory traversal vulnera... (How to Fix)

Q: What is the severity of CVE-2023-23842?

CVE-2023-23842 has a CVSS score of 7.2 (HIGH). CVE-2023-23842 is a directory traversal vulnerability in SolarWinds Network Configuration Manager that allows authenticated administrative users to execute arbitrary commands on the underlying system. This affects organizations using SolarWinds NCM with administrative web console access. The vulnerability stems from improper path validation (CWE-22).

📋 TL;DR

CVE-2023-23842 is a directory traversal vulnerability in SolarWinds Network Configuration Manager that allows authenticated administrative users to execute arbitrary commands on the underlying system. This affects organizations using SolarWinds NCM with administrative web console access. The vulnerability stems from improper path validation (CWE-22).

💻 Affected Systems

Products:

SolarWinds Network Configuration Manager

Versions: Versions prior to 2023.3

Operating Systems: Windows Server (primary deployment platform)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrative access to the SolarWinds web console. The vulnerability exists in the default installation configuration.

📦 What is this software?

Network Configuration Monitor by Solarwinds

View all CVEs affecting Network Configuration Monitor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands, install malware, exfiltrate sensitive data, or pivot to other network systems.

🟠

Likely Case

Privileged escalation leading to unauthorized configuration changes, network device manipulation, or credential theft from the NCM system.

🟢

If Mitigated

Limited impact if proper access controls, network segmentation, and monitoring are in place to detect and block exploitation attempts.

🌐 Internet-Facing: HIGH if the SolarWinds web console is exposed to the internet, as it provides direct attack surface for authenticated administrative users.

🏢 Internal Only: HIGH even if internal-only, as compromised administrative credentials or insider threats could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrative credentials to the SolarWinds web console. Once authenticated, the directory traversal and command execution is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2023.3 or later

Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23842

Restart Required: Yes

Instructions:

1. Download SolarWinds NCM 2023.3 or later from the SolarWinds customer portal. 2. Backup current configuration and database. 3. Run the installer with administrative privileges. 4. Follow the upgrade wizard. 5. Restart the SolarWinds services after installation completes.

🔧 Temporary Workarounds

Restrict Administrative Access

all

Limit administrative access to the SolarWinds web console to only necessary personnel using role-based access controls.

Network Segmentation

all

Isolate the SolarWinds NCM server in a dedicated management VLAN with strict firewall rules limiting inbound connections.

🧯 If You Can't Patch

Implement strict access controls and monitor all administrative activity on the SolarWinds web console
Deploy network-based intrusion detection systems to monitor for command execution patterns and directory traversal attempts

🔍 How to Verify

Check if Vulnerable:

Check the SolarWinds NCM version in the web console under Settings > All Settings > Product Information. If version is below 2023.3, the system is vulnerable.

Check Version:

In SolarWinds web console: Navigate to Settings > All Settings > Product Information

Verify Fix Applied:

After patching, verify the version shows 2023.3 or higher in the Product Information page. Test administrative functions to ensure normal operation.

📡 Detection & Monitoring

Log Indicators:

Unusual file path access patterns in SolarWinds logs
Unexpected command execution events in Windows Event Logs from SolarWinds service account
Multiple failed authentication attempts followed by successful administrative login

Network Indicators:

Unusual outbound connections from the SolarWinds server to external IPs
Suspicious HTTP requests containing directory traversal patterns (../) to the SolarWinds web console

SIEM Query:

source="solarwinds" AND (event_type="command_execution" OR path="*../*")

📊 Metadata

CVE ID: CVE-2023-23842

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: July 26, 2023

Last Updated: November 21, 2024

🔗 References

https://documentation.solarwinds.com/en/success_center/ncm/content/release_notes/ncm_2023-3_release_notes.htm Release Notes,Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23842 Vendor Advisory
https://documentation.solarwinds.com/en/success_center/ncm/content/release_notes/ncm_2023-3_release_notes.htm Release Notes,Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23842 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-23842, you might also want to check these: