-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 KL-001-2017-016 : Solarwinds LEM Insecure Update Process Title: Solarwinds LEM Insecure Update Process Advisory ID: KL-001-2017-016 Publication Date: 2017.09.25 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-016.txt 1. Vulnerability Details Affected Vendor: Solarwinds Affected Product: Multiple Affected Version: Multiple Platform: Embedded Linux CWE Classification: CWE-284: Improper Access Control, CWE-346: Origin Validation Error Impact: Counterfeit Product Downloads Attack vector: HTTP 2. Vulnerability Description Software updates for Solarwinds products are packaged and delivered insecurely, leading to root compromise of Solarwinds devices. 3. Technical Description Software updates for Solarwinds products are typically downloaded via plaintext HTTP links, consisting of a .zip file with no corresponding PGP signature or even SHA256 checksum. An attacker able to redirect, phish, or man-in-the-middle downloads of update files could plant backdoors in Solarwinds systems. If Solarwinds device administrators are permitted to initiate upgrades but not granted root shell access (such as via a restricted management shell only), this can also be used to elevate privileges to gain unrestricted root access. Some examples from official Solarwinds forums and support pages: https://thwack.solarwinds.com/thread/111223 points to http://downloads.solarwinds.com/solarwinds/Release/HotFix/SolarWinds-LEM-v6.3.1-Hotfix4.zip, which includes some data files and a perl script, hotfix/apply_hotfix. https://support.solarwinds.com/Success_Center/Storage_Manager_(STM)/Storage_Manager_and_Storage_Resource_Monitor_Profiler_Agent_download_links -> http://downloads.solarwinds.com/solarwinds/Release/StorageManager/6.0.0/Storage_Manager_Agent-linux-x86_64-6.0.zip (and many others), which contains a single .bin file that is a shell script with an embedded compressed .tar file. https://support.solarwinds.com/Success_Center/Storage_Manager_(STM)/SRM_Profiler_6.2.3_Hotfix_1 -> http://downloads.solarwinds.com/solarwinds/Release/HotFix/STM-v6.2.3-HotFix1.zip, which contains data files and driver scripts for both Linux (Patch/STM_Patch.sh) and Windows (Patch/STM Patch.bat). https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/AIX_Agent_Communication_error -> http://downloads.solarwinds.com/solarwinds/Release/LEM/SolarWinds-LEM-v5.3.1-AIXAgentInstaller.zip, contains a single .bin file that is a shell script with an embedded compressed .tar file. Windows-centric software is also accessed via HTTP links, and consist of .zip files containing .exe files. No analysis was done to check if these .exe's are signed, etc., although a user could likely be duped into running an an executable without a signature or signed by a bogus certificate. http://downloads.solarwinds.com/ is Akamai-hosted, and attempting to force HTTPS results in a certificate name mismatch (i.e. customers cannot simply elect to use a less insecure download URL). 4. Mitigation and Remediation Recommendation The vendor has addressed these issues and provided the following statement: We have obtained digital certificates for our download webpages and have updated our URL links accordingly to HTTPS. Additionally, we have already enabled checksums for many of our products on our federal sites and are working towards publishing checksums on our commercial download pages. 5. Credit This vulnerability was discovered by Hank Leininger of KoreLogic, Inc. 6. Disclosure Timeline 2017.08.11 - KoreLogic submits vulnerability report to Solarwinds contact. 2017.08.16 - Solarwinds acknowledges receipt of the report. 2017.08.18 - Solarwinds informs KoreLogic they will begin working on remediation. 2017.09.07 - Solarwinds informs KoreLogic the issues have been addressed and provides the statement that appears in section 4 of this advisory. 2017.09.25 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt -----BEGIN PGP SIGNATURE----- iQFOBAEBCAA4FiEE+cSrtp5jQJEtra70TWWaLA4ZiQwFAlnJfc0aHGRpc2Nsb3N1 cmVzQGtvcmVsb2dpYy5jb20ACgkQTWWaLA4ZiQyCPgf9FyDSxudmobI0DszrqWGQ kA9TPl8f/vNK8MAAsu62A05paMhKqUXG2WvpT+PkzEsGkYmcVlEqVVvEfGo6Ln7W laFvoZUEheMO85+EAt2KZ4Y1o0WUDHNI/ujNdEx3oEVpOnBdv9P9ekcHOOlIaObT f5TnBTTpZLsv7MgSbVxNi4aV5DoGnV0cfXBmvZrfPPuoZLmrESdP3txQzHsFPZGz pKzyHgHur0SNdQ3MnAWsgIhCVZtc/MirW0pxeJWdRWd/ZErZSavyKrwhB45hgmmV 6rEz3QSHxAqmDZOVOXZacEYzGN7w6WgIzNg+759KkFzrj/c90LuBf3uVMgbCr3cG Yg== =Kie2 -----END PGP SIGNATURE-----