what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Solarwinds LEM 6.3.1 Hardcoded Credentials

Solarwinds LEM 6.3.1 Hardcoded Credentials
Posted Jul 7, 2017
Authored by Matthew Bergin, Joshua Hardin | Site korelogic.com

Solarwinds Log and Event Manager Virtual Appliance version 6.3.1 has hard-coded credentials.

tags | exploit
SHA-256 | db2280c889805e3b1cc8bca7d28bca9faff15b7e7003176695d43071203d731f

Solarwinds LEM 6.3.1 Hardcoded Credentials

Change Mirror Download
KL-001-2017-015 : Solarwinds LEM Hardcoded Credentials

Title: Solarwinds LEM Hardcoded Credentials
Advisory ID: KL-001-2017-015
Publication Date: 2017.07.06
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-015.txt


1. Vulnerability Details

Affected Vendor: Solarwinds
Affected Product: Log and Event Manager Virtual Appliance
Affected Version: v6.3.1
Platform: Embedded Linux
CWE Classification: CWE-798: Use of Hard-coded Credentials
Impact: Unintended Access
Attack vector: Local

2. Vulnerability Description

The appliance contains multiple hardcoded passwords and hash
digests.

3. Technical Description

# grep "password" /usr/local/jetty/scripts/certs/openssl.cnf
output_password = QDXTCDD2nJIU

# grep "password" /usr/local/jetty/scripts/certs/openssl.cnf.org
output_password = QDXTCDD2nJIU

# grep "password" /usr/local/contego/scripts/certs/openssl.cnf
output_password = QDXTCDD2nJIU

# grep -i "password" /usr/local/jetty/etc/jetty-ssl.xml
<Set name="password">q4ROVdYYsV5M</Set>
<Set name="keyPassword">q4ROVdYYsV5M</Set>
<Set name="trustPassword">q4ROVdYYsV5M</Set>

# grep -i "password" /usr/local/contego/scripts/indepth-backup.pl
my $PASSWORD = "omgcontegorox";

# grep -i "password" /usr/local/contego/scripts/database/pgsql/flow.sql
CREATE ROLE trigeo WITH CREATEDB LOGIN PASSWORD 'rootme';
CREATE ROLE contego WITH CREATEDB LOGIN PASSWORD 'reports';

//Empty Password
# grep -i "password" /usr/local/contego/run/manager/toolconfig/toolstore.script
CREATE USER SA PASSWORD DIGEST 'd41d8cd98f00b204e9800998ecf8427e'

# grep -i "password" /usr/local/contego/run/indepth.conf
InDepthMaintenPassword=tVyf+rPBho7S0WOd/29MPg\=\=
InDepthManagerPassword=zhZi52gTxKbMKTzgdfBtMQ\=\=

// cracks to "welcome" without quotes
# grep -i "password" /usr/local/contego/run/tomcat/conf/tomcat-users.xml
<user username="manager" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="manager"/>
<user username="administrator" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="admin"/>
<user username="auditor" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="audit"/>
<user username="monitor" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="alerts_only"/>
<user username="contact" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="notify_only"/>
<user username="user" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="user"/>

# grep -i "password" /usr/local/contego/run/system.conf
archive.password=omgcontegorox
backup.password=omgcontegorox
logbackup.password=omgcontegorox

# grep -i "password" /usr/local/contego/run/daemon-args.pl
my $tls = "-Djavax.net.ssl.keyStore=/usr/local/contego/scripts/certs/.keystore
-Djavax.net.ssl.keyStorePassword=q4ROVdYYsV5M -Djavax.net.ssl.trustStore=/usr/local/contego/scripts/certs/.truststore
-Djavax.net.ssl.trustStorePassword=q4ROVdYYsV5M";

# grep -i "password" /usr/local/contego/run/manager.conf
PSQLPassword=aNErCbdTvwaXxnusqVsNCQ\=\=
ForensicPassword=BosMXyGmaT/ej+S3GU6fRQ\=\=

# grep -i "password" /var/rawdata/cores/solr.conf
query_password=tObzgVmmszuKGZ40W+PO/Q==

//hardcoded md5
# grep -i "password" /var/alertdata/hsql/alertdb.script
CREATE USER SA PASSWORD DIGEST 'fe42a787c40ad4110affab25e8bad4ae'
CREATE USER "trigeo" PASSWORD DIGEST '54837f887425d1eda4d0ddcee6c2d3fc'

4. Mitigation and Remediation Recommendation

The vendor has released a Hotfix to remediate this
vulnerability. Hotfix and installation instructions are
available at:

https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/Log_and_Event_Manager_LEM_6-3-1_Hotfix_5_ReadMe
http://downloads.solarwinds.com/solarwinds/Release/HotFix/SolarWinds-LEM-v6.3.1-Hotfix5.zip

5. Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc. and Joshua Hardin.

6. Disclosure Timeline

2017.04.06 - KoreLogic submits vulnerability report and PoC to
Solarwinds contact.
2017.05.15 - Solarwinds notifies KoreLogic that a hotfix
addressing this issue will be available at the end
of June.
2017.05.18 - 30 business days have elapsed since this issue was
reported.
2017.06.09 - 45 business days have elapsed since this issue was
reported.
2017.06.29 - Solarwinds releases hotfix.
2017.07.06 - KoreLogic public disclosure.

7. Proof of Concept

See 3. Technical Description


The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close