CVE-2024-0692 Scanner

SolarWinds Security Event Manager (SEM) is an enterprise-grade Security Information and Event Management (SIEM) platform designed to help organizations monitor, detect, and respond to security threats. It aggregates logs and events from various sources and provides real-time analysis for incident detection and compliance. SEM is commonly used by security operations centers (SOCs) in businesses, government agencies, and managed service providers. It integrates with network devices, endpoints, and applications to correlate events and enforce security policies. Accessible via a web interface, it also provides automated responses and extensive reporting capabilities. Due to its sensitive role, any vulnerability in SEM can severely impact an organization’s security posture.

This scanner detects a remote code execution (RCE) vulnerability in SolarWinds Security Event Manager that allows unauthenticated attackers to execute arbitrary code. The flaw is rooted in the way the application handles AMF (Action Message Format) deserialization on the `/services/messagebroker/streamingamf` endpoint. Unvalidated input sent via crafted AMF payloads can trigger insecure deserialization leading to RCE. Since no authentication is required, the attack surface is exposed to unauthenticated users on the same network. The CVSS score of 8.8 reflects the high impact of this vulnerability on confidentiality, integrity, and availability.

The vulnerable endpoint is `/services/messagebroker/streamingamf`, which accepts AMF-formatted data. By sending a malicious POST request with crafted binary AMF content, an attacker can exploit the insecure deserialization process. This vulnerability is classified under CWE-502 (Deserialization of Untrusted Data), indicating that the input stream is not properly sanitized. The scanner identifies a vulnerable target by first confirming the presence of the SEM interface and then checking for AMF-specific markers in the response. A successful match indicates that the system is processing AMF content and is likely vulnerable to exploitation.

If exploited, this vulnerability enables attackers to execute arbitrary code on the SEM host system, potentially gaining full control. This can lead to the exfiltration of sensitive logs and security data, manipulation of event processing, or insertion of malicious responses. An attacker may also use the SEM infrastructure to pivot to other internal systems. In enterprise environments, this compromises the very system responsible for detecting and responding to threats. Successful exploitation can disrupt security monitoring and blind detection capabilities, resulting in prolonged breaches.

REFERENCES

• https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2023-4-1_release_notes.htm