Solarwinds LEM Insecure Update Process

Vulnerability Description

Software updates for Solarwinds products are packaged and delivered insecurely, leading to root compromise of Solarwinds devices.

Technical Description

Software updates for Solarwinds products are typically downloaded via plaintext HTTP links, consisting of a .zip file with no corresponding PGP signature or even SHA256 checksum.

An attacker able to redirect, phish, or man-in-the-middle downloads of update files could plant backdoors in Solarwinds systems. If Solarwinds device administrators are permitted to initiate upgrades but not granted root shell access (such as via a restricted management shell only), this can also be used to elevate privileges to gain unrestricted root access.

Some examples from official Solarwinds forums and support pages:

https://thwack.solarwinds.com/thread/111223 points to http://downloads.solarwinds.com/solarwinds/Release/HotFix/SolarWinds-LEM-v6.3.1-Hotfix4.zip, which includes some data files and a perl script, hotfix/apply_hotfix.

https://support.solarwinds.com/Success_Center/Storage_Manager_(STM)/Storage_Manager_and_Storage_Resource_Monitor_Profiler_Agent_download_links -> http://downloads.solarwinds.com/solarwinds/Release/StorageManager/6.0.0/Storage_Manager_Agent-linux-x86_64-6.0.zip (and many others), which contains a single .bin file that is a shell script with an embedded compressed .tar file.

https://support.solarwinds.com/Success_Center/Storage_Manager_(STM)/SRM_Profiler_6.2.3_Hotfix_1 -> http://downloads.solarwinds.com/solarwinds/Release/HotFix/STM-v6.2.3-HotFix1.zip, which contains data files and driver scripts for both Linux (Patch/STM_Patch.sh) and Windows (Patch/STM Patch.bat).

https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/AIX_Agent_Communication_error -> http://downloads.solarwinds.com/solarwinds/Release/LEM/SolarWinds-LEM-v5.3.1-AIXAgentInstaller.zip, contains a single .bin file that is a shell script with an embedded compressed .tar file.

Windows-centric software is also accessed via HTTP links, and consist of .zip files containing .exe files. No analysis was done to check if these .exe’s are signed, etc., although a user could likely be duped into running an an executable without a signature or signed by a bogus certificate.

http://downloads.solarwinds.com/ is Akamai-hosted, and attempting to force HTTPS results in a certificate name mismatch (i.e. customers cannot simply elect to use a less insecure download URL).

Mitigation and Remediation Recommendation

The vendor has addressed these issues and provided the following statement: We have obtained digital certificates for our download webpages and have updated our URL links accordingly to HTTPS. Additionally, we have already enabled checksums for many of our products on our federal sites and are working towards publishing checksums on our commercial download pages.

Credit

This vulnerability was discovered by Hank Leininger of KoreLogic, Inc.

Proof of Concept

See 3. Technical Description

The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt