CVE-2024-28076
📋 TL;DR
This CVE describes an open redirect vulnerability in SolarWinds Platform where attackers can manipulate URL parameters to redirect users to malicious domains. It affects SolarWinds Platform installations with specific vulnerable versions. The vulnerability could be exploited to facilitate phishing attacks or redirect users to malicious sites.
💻 Affected Systems
- SolarWinds Platform
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Users could be redirected to phishing sites that steal credentials or deliver malware, potentially leading to full system compromise if combined with social engineering.
Likely Case
Attackers redirect users to phishing pages to harvest credentials or deliver malware through drive-by downloads.
If Mitigated
With proper input validation and URL sanitization, redirects would only go to trusted domains within the application.
🎯 Exploit Status
The vulnerability requires user interaction (clicking a crafted link) but is technically simple to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.1.1
Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28076
Restart Required: Yes
Instructions:
1. Download SolarWinds Platform 2024.1.1 from SolarWinds customer portal. 2. Backup current installation. 3. Run the installer with administrative privileges. 4. Restart SolarWinds services after installation completes.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to reject URLs with external domains or suspicious redirect patterns.
Web Application Firewall Rules
allConfigure WAF to block requests containing redirect parameters with external domains.
🧯 If You Can't Patch
- Implement strict URL validation at the application layer to only allow redirects to trusted, whitelisted domains.
- Deploy network segmentation to isolate SolarWinds Platform from internet access and restrict to internal users only.
🔍 How to Verify
Check if Vulnerable:
Check SolarWinds Platform version in web interface under Help > About or via SolarWinds Orion Installer.Check Version:
Not applicable - check via web interface or installer GUIVerify Fix Applied:
Verify version is 2024.1.1 or later and test redirect functionality with crafted URLs to ensure they are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual redirect patterns in web server logs
- Requests with suspicious URL parameters containing redirects to external domains
Network Indicators:
- Outbound connections to unexpected domains following SolarWinds Platform access
- HTTP 302 redirects to non-SolarWinds domains
SIEM Query:
source="solarwinds" AND (url="*redirect=*" OR url="*url=*" OR url="*return=*") AND NOT (url="*solarwinds.com*" OR url="*internal-domain*"))🔗 References
- https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2024-1-1_release_notes.htm
- https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28076
- https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2024-1-1_release_notes.htm
- https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28076
