Skip to main content
Security Advisory

Solarwinds LEM Hardcoded Credentials

Advisory ID
KL-001-2017-015
Published
2017-07-06
Vendor
Solarwinds

Affected Systems

Product
Log and Event Manager Virtual Appliance
Version
v6.3.1
Platform
Embedded Linux

Discovered By

Matt Bergin (KoreLogic)
Download (signed .txt)
Back to Advisories

Vulnerability Details

Affected Vendor: Solarwinds
Affected Product: Log and Event Manager Virtual Appliance
Affected Version: v6.3.1
Platform: Embedded Linux
CWE Classification: CWE-798: Use of Hard-coded Credentials
Impact: Unintended Access
Attack Vector: Local

Vulnerability Description

The appliance contains multiple hardcoded passwords and hash digests.

Technical Description

# grep "password" /usr/local/jetty/scripts/certs/openssl.cnf
output_password			= QDXTCDD2nJIU

# grep "password" /usr/local/jetty/scripts/certs/openssl.cnf.org
output_password			= QDXTCDD2nJIU

# grep "password" /usr/local/contego/scripts/certs/openssl.cnf
output_password			= QDXTCDD2nJIU

# grep -i "password" /usr/local/jetty/etc/jetty-ssl.xml
        <Set name="password">q4ROVdYYsV5M</Set>
        <Set name="keyPassword">q4ROVdYYsV5M</Set>
        <Set name="trustPassword">q4ROVdYYsV5M</Set>

# grep -i "password" /usr/local/contego/scripts/indepth-backup.pl
my $PASSWORD = "omgcontegorox";

# grep -i "password" /usr/local/contego/scripts/database/pgsql/flow.sql
CREATE ROLE trigeo      WITH CREATEDB LOGIN PASSWORD 'rootme';
CREATE ROLE contego     WITH CREATEDB LOGIN PASSWORD 'reports';

//Empty Password
# grep -i "password" /usr/local/contego/run/manager/toolconfig/toolstore.script
CREATE USER SA PASSWORD DIGEST 'd41d8cd98f00b204e9800998ecf8427e'

# grep -i "password" /usr/local/contego/run/indepth.conf
InDepthMaintenPassword=tVyf+rPBho7S0WOd/29MPg\=\=
InDepthManagerPassword=zhZi52gTxKbMKTzgdfBtMQ\=\=

// cracks to "welcome" without quotes
# grep -i "password" /usr/local/contego/run/tomcat/conf/tomcat-users.xml
		<user username="manager" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="manager"/>
        <user username="administrator" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="admin"/>
        <user username="auditor" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="audit"/>
        <user username="monitor" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="alerts_only"/>
        <user username="contact" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="notify_only"/>
        <user username="user" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="user"/>

# grep -i "password" /usr/local/contego/run/system.conf
archive.password=omgcontegorox
backup.password=omgcontegorox
logbackup.password=omgcontegorox

# grep -i "password" /usr/local/contego/run/daemon-args.pl
my $tls = "-Djavax.net.ssl.keyStore=/usr/local/contego/scripts/certs/.keystore -Djavax.net.ssl.keyStorePassword=q4ROVdYYsV5M -Djavax.net.ssl.trustStore=/usr/local/contego/scripts/certs/.truststore -Djavax.net.ssl.trustStorePassword=q4ROVdYYsV5M";

# grep -i "password" /usr/local/contego/run/manager.conf
PSQLPassword=aNErCbdTvwaXxnusqVsNCQ\=\=
ForensicPassword=BosMXyGmaT/ej+S3GU6fRQ\=\=

# grep -i "password" /var/rawdata/cores/solr.conf
query_password=tObzgVmmszuKGZ40W+PO/Q==

//hardcoded md5
# grep -i "password" /var/alertdata/hsql/alertdb.script
CREATE USER SA PASSWORD DIGEST 'fe42a787c40ad4110affab25e8bad4ae'
CREATE USER "trigeo" PASSWORD DIGEST '54837f887425d1eda4d0ddcee6c2d3fc'

Mitigation and Remediation Recommendation

The vendor has released a Hotfix to remediate this vulnerability. Hotfix and installation instructions are available at:

https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/Log_and_Event_Manager_LEM_6-3-1_Hotfix_5_ReadMe http://downloads.solarwinds.com/solarwinds/Release/HotFix/SolarWinds-LEM-v6.3.1-Hotfix5.zip

Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. and Joshua Hardin.

Proof of Concept

See 3. Technical Description

The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

Disclosure Timeline

KoreLogic submits vulnerability report and PoC to Solarwinds contact.

Solarwinds notifies KoreLogic that a hotfix addressing this issue will be available at the end of June.

30 business days have elapsed since this issue was reported.

45 business days have elapsed since this issue was reported.

Solarwinds releases hotfix.

KoreLogic public disclosure.

Back to Advisories

Responsible Disclosure

KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.

Vendor notification and coordination
90+ day disclosure timeline
CVE coordination when applicable

Resources & Downloads

Contact Security Team
All Advisories Download signed .txt