exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Solarwinds LEM Insecure Update Process

Solarwinds LEM Insecure Update Process
Posted Sep 26, 2017
Authored by Hank Leininger

Software updates for Solarwinds products are packaged and delivered insecurely, leading to root compromise of Solarwinds devices.

tags | advisory, root
SHA-256 | 2a9df79c742962870c74939e16e4499331d3b9dcdf53b4c3fe83b8d82173b94e

Solarwinds LEM Insecure Update Process

Change Mirror Download
KL-001-2017-016 : Solarwinds LEM Insecure Update Process

Title: Solarwinds LEM Insecure Update Process
Advisory ID: KL-001-2017-016
Publication Date: 2017.09.25
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-016.txt


1. Vulnerability Details

Affected Vendor: Solarwinds
Affected Product: Multiple
Affected Version: Multiple
Platform: Embedded Linux
CWE Classification: CWE-284: Improper Access Control, CWE-346: Origin Validation Error
Impact: Counterfeit Product Downloads
Attack vector: HTTP

2. Vulnerability Description

Software updates for Solarwinds products are packaged and
delivered insecurely, leading to root compromise of Solarwinds
devices.

3. Technical Description

Software updates for Solarwinds products are typically downloaded
via plaintext HTTP links, consisting of a .zip file with no
corresponding PGP signature or even SHA256 checksum.

An attacker able to redirect, phish, or man-in-the-middle downloads
of update files could plant backdoors in Solarwinds systems.
If Solarwinds device administrators are permitted to initiate
upgrades but not granted root shell access (such as via a restricted
management shell only), this can also be used to elevate privileges
to gain unrestricted root access.

Some examples from official Solarwinds forums and support pages:

https://thwack.solarwinds.com/thread/111223 points to
http://downloads.solarwinds.com/solarwinds/Release/HotFix/SolarWinds-LEM-v6.3.1-Hotfix4.zip,
which includes some data files and a perl script,
hotfix/apply_hotfix.


https://support.solarwinds.com/Success_Center/Storage_Manager_(STM)/Storage_Manager_and_Storage_Resource_Monitor_Profiler_Agent_download_links
->
http://downloads.solarwinds.com/solarwinds/Release/StorageManager/6.0.0/Storage_Manager_Agent-linux-x86_64-6.0.zip
(and many others), which contains a single .bin file that is a
shell script with an embedded compressed .tar file.

https://support.solarwinds.com/Success_Center/Storage_Manager_(STM)/SRM_Profiler_6.2.3_Hotfix_1 ->
http://downloads.solarwinds.com/solarwinds/Release/HotFix/STM-v6.2.3-HotFix1.zip,
which contains data files and driver scripts for both Linux
(Patch/STM_Patch.sh) and Windows (Patch/STM Patch.bat).

https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/AIX_Agent_Communication_error ->
http://downloads.solarwinds.com/solarwinds/Release/LEM/SolarWinds-LEM-v5.3.1-AIXAgentInstaller.zip,
contains a single .bin file that is a shell script with an embedded
compressed .tar file.

Windows-centric software is also accessed via HTTP links, and
consist of .zip files containing .exe files. No analysis was done
to check if these .exe's are signed, etc., although a user could
likely be duped into running an an executable without a signature or
signed by a bogus certificate.

http://downloads.solarwinds.com/ is Akamai-hosted, and attempting to
force HTTPS results in a certificate name mismatch (i.e. customers
cannot simply elect to use a less insecure download URL).

4. Mitigation and Remediation Recommendation

The vendor has addressed these issues and provided the following
statement: We have obtained digital certificates for our
download webpages and have updated our URL links accordingly
to HTTPS. Additionally, we have already enabled checksums
for many of our products on our federal sites and are working
towards publishing checksums on our commercial download pages.


5. Credit

This vulnerability was discovered by Hank Leininger of
KoreLogic, Inc.

6. Disclosure Timeline

2017.08.11 - KoreLogic submits vulnerability report to Solarwinds
contact.
2017.08.16 - Solarwinds acknowledges receipt of the report.
2017.08.18 - Solarwinds informs KoreLogic they will begin working
on remediation.
2017.09.07 - Solarwinds informs KoreLogic the issues have been
addressed and provides the statement that appears in
section 4 of this advisory.
2017.09.25 - KoreLogic public disclosure.

7. Proof of Concept

See 3. Technical Description


The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close