CVE-2023-33224 – This vulnerability allows administrators of Sol... (How to Fix)

Q: What is the severity of CVE-2023-33224?

CVE-2023-33224 has a CVSS score of 7.2 (HIGH). This vulnerability allows administrators of SolarWinds Platform to execute arbitrary commands with NETWORK SERVICE privileges due to incorrect behavior order in the web console. It affects SolarWinds Platform installations where administrative web console access exists. Attackers could leverage this to gain elevated privileges on affected systems.

📋 TL;DR

This vulnerability allows administrators of SolarWinds Platform to execute arbitrary commands with NETWORK SERVICE privileges due to incorrect behavior order in the web console. It affects SolarWinds Platform installations where administrative web console access exists. Attackers could leverage this to gain elevated privileges on affected systems.

💻 Affected Systems

Products:

SolarWinds Platform

Versions: Versions prior to 2023.3

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrative access to SolarWinds Web Console. The vulnerability exists in the web console component of the SolarWinds Platform.

📦 What is this software?

Solarwinds Platform by Solarwinds

View all CVEs affecting Solarwinds Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through arbitrary command execution with NETWORK SERVICE privileges, potentially leading to lateral movement, data exfiltration, or deployment of persistent malware.

🟠

Likely Case

Privilege escalation from administrative web console access to SYSTEM-level access, enabling attackers to execute malicious commands, install backdoors, or manipulate system configurations.

🟢

If Mitigated

Limited impact if proper access controls, network segmentation, and monitoring are in place, though the vulnerability still provides elevated execution capabilities.

🌐 Internet-Facing: HIGH if SolarWinds web console is exposed to the internet, as administrative credentials could be compromised through other means.

🏢 Internal Only: HIGH as administrative users (legitimate or compromised) can exploit this vulnerability to execute arbitrary commands with elevated privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrative credentials to the SolarWinds Web Console. Once authenticated, the vulnerability can be triggered through the web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SolarWinds Platform 2023.3 or later

Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/cve-2023-33224

Restart Required: Yes

Instructions:

1. Download SolarWinds Platform 2023.3 or later from the SolarWinds customer portal. 2. Backup current configuration and database. 3. Run the installer with administrative privileges. 4. Follow the upgrade wizard. 5. Restart SolarWinds services after installation.

🔧 Temporary Workarounds

Restrict Administrative Access

all

Limit administrative access to SolarWinds Web Console to only essential personnel using principle of least privilege.

Network Segmentation

all

Isolate SolarWinds servers from critical network segments and implement strict firewall rules.

🧯 If You Can't Patch

Implement strict access controls and monitor all administrative activity on SolarWinds Web Console
Deploy application whitelisting to prevent execution of unauthorized commands

🔍 How to Verify

Check if Vulnerable:

Check SolarWinds Platform version in the web console under Settings > All Settings > Product Information. If version is earlier than 2023.3, the system is vulnerable.

Check Version:

In SolarWinds Web Console: Navigate to Settings > All Settings > Product Information

Verify Fix Applied:

Verify the version shows 2023.3 or later in the web console. Test administrative functions to ensure they work properly after upgrade.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution events in Windows Event Logs from NETWORK SERVICE account
Suspicious administrative activity in SolarWinds audit logs
Multiple failed authentication attempts followed by successful administrative login

Network Indicators:

Unusual outbound connections from SolarWinds servers
Unexpected network traffic patterns from NETWORK SERVICE context

SIEM Query:

source="SolarWinds" AND (event_type="admin_action" OR user="administrator") | stats count by src_ip, user, action

📊 Metadata

CVE ID: CVE-2023-33224

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-696

Published: July 26, 2023

Last Updated: November 21, 2024

🔗 References

https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-3_release_notes.htm Release Notes,Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/cve-2023-33224 Vendor Advisory
https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-3_release_notes.htm Release Notes,Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/cve-2023-33224 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-33224, you might also want to check these: