KL-001-2017-015 : Solarwinds LEM Hardcoded Credentials Title: Solarwinds LEM Hardcoded Credentials Advisory ID: KL-001-2017-015 Publication Date: 2017.07.06 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-015.txt 1. Vulnerability Details Affected Vendor: Solarwinds Affected Product: Log and Event Manager Virtual Appliance Affected Version: v6.3.1 Platform: Embedded Linux CWE Classification: CWE-798: Use of Hard-coded Credentials Impact: Unintended Access Attack vector: Local 2. Vulnerability Description The appliance contains multiple hardcoded passwords and hash digests. 3. Technical Description # grep "password" /usr/local/jetty/scripts/certs/openssl.cnf output_password = QDXTCDD2nJIU # grep "password" /usr/local/jetty/scripts/certs/openssl.cnf.org output_password = QDXTCDD2nJIU # grep "password" /usr/local/contego/scripts/certs/openssl.cnf output_password = QDXTCDD2nJIU # grep -i "password" /usr/local/jetty/etc/jetty-ssl.xml <Set name="password">q4ROVdYYsV5M</Set> <Set name="keyPassword">q4ROVdYYsV5M</Set> <Set name="trustPassword">q4ROVdYYsV5M</Set> # grep -i "password" /usr/local/contego/scripts/indepth-backup.pl my $PASSWORD = "omgcontegorox"; # grep -i "password" /usr/local/contego/scripts/database/pgsql/flow.sql CREATE ROLE trigeo WITH CREATEDB LOGIN PASSWORD 'rootme'; CREATE ROLE contego WITH CREATEDB LOGIN PASSWORD 'reports'; //Empty Password # grep -i "password" /usr/local/contego/run/manager/toolconfig/toolstore.script CREATE USER SA PASSWORD DIGEST 'd41d8cd98f00b204e9800998ecf8427e' # grep -i "password" /usr/local/contego/run/indepth.conf InDepthMaintenPassword=tVyf+rPBho7S0WOd/29MPg\=\= InDepthManagerPassword=zhZi52gTxKbMKTzgdfBtMQ\=\= // cracks to "welcome" without quotes # grep -i "password" /usr/local/contego/run/tomcat/conf/tomcat-users.xml <user username="manager" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="manager"/> <user username="administrator" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="admin"/> <user username="auditor" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="audit"/> <user username="monitor" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="alerts_only"/> <user username="contact" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="notify_only"/> <user username="user" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="user"/> # grep -i "password" /usr/local/contego/run/system.conf archive.password=omgcontegorox backup.password=omgcontegorox logbackup.password=omgcontegorox # grep -i "password" /usr/local/contego/run/daemon-args.pl my $tls = "-Djavax.net.ssl.keyStore=/usr/local/contego/scripts/certs/.keystore -Djavax.net.ssl.keyStorePassword=q4ROVdYYsV5M -Djavax.net.ssl.trustStore=/usr/local/contego/scripts/certs/.truststore -Djavax.net.ssl.trustStorePassword=q4ROVdYYsV5M"; # grep -i "password" /usr/local/contego/run/manager.conf PSQLPassword=aNErCbdTvwaXxnusqVsNCQ\=\= ForensicPassword=BosMXyGmaT/ej+S3GU6fRQ\=\= # grep -i "password" /var/rawdata/cores/solr.conf query_password=tObzgVmmszuKGZ40W+PO/Q== //hardcoded md5 # grep -i "password" /var/alertdata/hsql/alertdb.script CREATE USER SA PASSWORD DIGEST 'fe42a787c40ad4110affab25e8bad4ae' CREATE USER "trigeo" PASSWORD DIGEST '54837f887425d1eda4d0ddcee6c2d3fc' 4. Mitigation and Remediation Recommendation The vendor has released a Hotfix to remediate this vulnerability. Hotfix and installation instructions are available at: https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/Log_and_Event_Manager_LEM_6-3-1_Hotfix_5_ReadMe http://downloads.solarwinds.com/solarwinds/Release/HotFix/SolarWinds-LEM-v6.3.1-Hotfix5.zip 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. and Joshua Hardin. 6. Disclosure Timeline 2017.04.06 - KoreLogic submits vulnerability report and PoC to Solarwinds contact. 2017.05.15 - Solarwinds notifies KoreLogic that a hotfix addressing this issue will be available at the end of June. 2017.05.18 - 30 business days have elapsed since this issue was reported. 2017.06.09 - 45 business days have elapsed since this issue was reported. 2017.06.29 - Solarwinds releases hotfix. 2017.07.06 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
Attachment:
signature.asc
Description: OpenPGP digital signature