| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <14c4a1ac-dfe0-106b-5677-41b5aab2bdcb@korelogic.com>
Date: Thu, 6 Jul 2017 14:23:05 -0500
From: KoreLogic Disclosures <disclosures@...elogic.com>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: [FD] KL-001-2017-015 : Solarwinds LEM Hardcoded Credentials
KL-001-2017-015 : Solarwinds LEM Hardcoded Credentials
Title: Solarwinds LEM Hardcoded Credentials
Advisory ID: KL-001-2017-015
Publication Date: 2017.07.06
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-015.txt
1. Vulnerability Details
Affected Vendor: Solarwinds
Affected Product: Log and Event Manager Virtual Appliance
Affected Version: v6.3.1
Platform: Embedded Linux
CWE Classification: CWE-798: Use of Hard-coded Credentials
Impact: Unintended Access
Attack vector: Local
2. Vulnerability Description
The appliance contains multiple hardcoded passwords and hash
digests.
3. Technical Description
# grep "password" /usr/local/jetty/scripts/certs/openssl.cnf
output_password = QDXTCDD2nJIU
# grep "password" /usr/local/jetty/scripts/certs/openssl.cnf.org
output_password = QDXTCDD2nJIU
# grep "password" /usr/local/contego/scripts/certs/openssl.cnf
output_password = QDXTCDD2nJIU
# grep -i "password" /usr/local/jetty/etc/jetty-ssl.xml
<Set name="password">q4ROVdYYsV5M</Set>
<Set name="keyPassword">q4ROVdYYsV5M</Set>
<Set name="trustPassword">q4ROVdYYsV5M</Set>
# grep -i "password" /usr/local/contego/scripts/indepth-backup.pl
my $PASSWORD = "omgcontegorox";
# grep -i "password" /usr/local/contego/scripts/database/pgsql/flow.sql
CREATE ROLE trigeo WITH CREATEDB LOGIN PASSWORD 'rootme';
CREATE ROLE contego WITH CREATEDB LOGIN PASSWORD 'reports';
//Empty Password
# grep -i "password" /usr/local/contego/run/manager/toolconfig/toolstore.script
CREATE USER SA PASSWORD DIGEST 'd41d8cd98f00b204e9800998ecf8427e'
# grep -i "password" /usr/local/contego/run/indepth.conf
InDepthMaintenPassword=tVyf+rPBho7S0WOd/29MPg\=\=
InDepthManagerPassword=zhZi52gTxKbMKTzgdfBtMQ\=\=
// cracks to "welcome" without quotes
# grep -i "password" /usr/local/contego/run/tomcat/conf/tomcat-users.xml
<user username="manager" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="manager"/>
<user username="administrator" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="admin"/>
<user username="auditor" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="audit"/>
<user username="monitor" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="alerts_only"/>
<user username="contact" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="notify_only"/>
<user username="user" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="user"/>
# grep -i "password" /usr/local/contego/run/system.conf
archive.password=omgcontegorox
backup.password=omgcontegorox
logbackup.password=omgcontegorox
# grep -i "password" /usr/local/contego/run/daemon-args.pl
my $tls = "-Djavax.net.ssl.keyStore=/usr/local/contego/scripts/certs/.keystore
-Djavax.net.ssl.keyStorePassword=q4ROVdYYsV5M -Djavax.net.ssl.trustStore=/usr/local/contego/scripts/certs/.truststore
-Djavax.net.ssl.trustStorePassword=q4ROVdYYsV5M";
# grep -i "password" /usr/local/contego/run/manager.conf
PSQLPassword=aNErCbdTvwaXxnusqVsNCQ\=\=
ForensicPassword=BosMXyGmaT/ej+S3GU6fRQ\=\=
# grep -i "password" /var/rawdata/cores/solr.conf
query_password=tObzgVmmszuKGZ40W+PO/Q==
//hardcoded md5
# grep -i "password" /var/alertdata/hsql/alertdb.script
CREATE USER SA PASSWORD DIGEST 'fe42a787c40ad4110affab25e8bad4ae'
CREATE USER "trigeo" PASSWORD DIGEST '54837f887425d1eda4d0ddcee6c2d3fc'
4. Mitigation and Remediation Recommendation
The vendor has released a Hotfix to remediate this
vulnerability. Hotfix and installation instructions are
available at:
https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/Log_and_Event_Manager_LEM_6-3-1_Hotfix_5_ReadMe
http://downloads.solarwinds.com/solarwinds/Release/HotFix/SolarWinds-LEM-v6.3.1-Hotfix5.zip
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc. and Joshua Hardin.
6. Disclosure Timeline
2017.04.06 - KoreLogic submits vulnerability report and PoC to
Solarwinds contact.
2017.05.15 - Solarwinds notifies KoreLogic that a hotfix
addressing this issue will be available at the end
of June.
2017.05.18 - 30 business days have elapsed since this issue was
reported.
2017.06.09 - 45 business days have elapsed since this issue was
reported.
2017.06.29 - Solarwinds releases hotfix.
2017.07.06 - KoreLogic public disclosure.
7. Proof of Concept
See 3. Technical Description
The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
Download attachment "signature.asc" of type "application/pgp-signature" (526 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists