lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 25 Sep 2017 18:39:35 -0500
From: KoreLogic Disclosures <disclosures@...elogic.com>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: [FD] KL-001-2017-016 : Solarwinds LEM Insecure Update Process

KL-001-2017-016 : Solarwinds LEM Insecure Update Process

Title: Solarwinds LEM Insecure Update Process
Advisory ID: KL-001-2017-016
Publication Date: 2017.09.25
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-016.txt


1. Vulnerability Details

     Affected Vendor: Solarwinds
     Affected Product: Multiple
     Affected Version: Multiple
     Platform: Embedded Linux
     CWE Classification: CWE-284: Improper Access Control, CWE-346: Origin Validation Error
     Impact: Counterfeit Product Downloads
     Attack vector: HTTP

2. Vulnerability Description

     Software updates for Solarwinds products are packaged and
     delivered insecurely, leading to root compromise of Solarwinds
     devices.

3. Technical Description

     Software updates for Solarwinds products are typically downloaded
     via plaintext HTTP links, consisting of a .zip file with no
     corresponding PGP signature or even SHA256 checksum.

     An attacker able to redirect, phish, or man-in-the-middle downloads
     of update files could plant backdoors in Solarwinds systems.
     If Solarwinds device administrators are permitted to initiate
     upgrades but not granted root shell access (such as via a restricted
     management shell only), this can also be used to elevate privileges
     to gain unrestricted root access.

     Some examples from official Solarwinds forums and support pages:

       https://thwack.solarwinds.com/thread/111223 points to
       http://downloads.solarwinds.com/solarwinds/Release/HotFix/SolarWinds-LEM-v6.3.1-Hotfix4.zip,
       which includes some data files and a perl script,
       hotfix/apply_hotfix.


https://support.solarwinds.com/Success_Center/Storage_Manager_(STM)/Storage_Manager_and_Storage_Resource_Monitor_Profiler_Agent_download_links
->
       http://downloads.solarwinds.com/solarwinds/Release/StorageManager/6.0.0/Storage_Manager_Agent-linux-x86_64-6.0.zip
       (and many others), which contains a single .bin file that is a
       shell script with an embedded compressed .tar file.

       https://support.solarwinds.com/Success_Center/Storage_Manager_(STM)/SRM_Profiler_6.2.3_Hotfix_1 ->
       http://downloads.solarwinds.com/solarwinds/Release/HotFix/STM-v6.2.3-HotFix1.zip,
       which contains data files and driver scripts for both Linux
       (Patch/STM_Patch.sh) and Windows (Patch/STM Patch.bat).

       https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/AIX_Agent_Communication_error ->
       http://downloads.solarwinds.com/solarwinds/Release/LEM/SolarWinds-LEM-v5.3.1-AIXAgentInstaller.zip,
       contains a single .bin file that is a shell script with an embedded
       compressed .tar file.

     Windows-centric software is also accessed via HTTP links, and
     consist of .zip files containing .exe files.  No analysis was done
     to check if these .exe's are signed, etc., although a user could
     likely be duped into running an an executable without a signature or
     signed by a bogus certificate.

     http://downloads.solarwinds.com/ is Akamai-hosted, and attempting to
     force HTTPS results in a certificate name mismatch (i.e. customers
     cannot simply elect to use a less insecure download URL).

4. Mitigation and Remediation Recommendation

     The vendor has addressed these issues and provided the following
     statement: We have obtained digital certificates for our
     download webpages and have updated our URL links accordingly
     to HTTPS. Additionally, we have already enabled checksums
     for many of our products on our federal sites and are working
     towards publishing checksums on our commercial download pages.


5. Credit

     This vulnerability was discovered by Hank Leininger of
     KoreLogic, Inc.

6. Disclosure Timeline

     2017.08.11 - KoreLogic submits vulnerability report to Solarwinds
                  contact.
     2017.08.16 - Solarwinds acknowledges receipt of the report.
     2017.08.18 - Solarwinds informs KoreLogic they will begin working
                  on remediation.
     2017.09.07 - Solarwinds informs KoreLogic the issues have been
                  addressed and provides the statement that appears in
                  section 4 of this advisory.
     2017.09.25 - KoreLogic public disclosure.

7. Proof of Concept

     See 3. Technical Description


The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt


Download attachment "signature.asc" of type "application/pgp-signature" (526 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists