-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 KL-001-2017-015 : Solarwinds LEM Hardcoded Credentials Title: Solarwinds LEM Hardcoded Credentials Advisory ID: KL-001-2017-015 Publication Date: 2017.07.06 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-015.txt 1. Vulnerability Details Affected Vendor: Solarwinds Affected Product: Log and Event Manager Virtual Appliance Affected Version: v6.3.1 Platform: Embedded Linux CWE Classification: CWE-798: Use of Hard-coded Credentials Impact: Unintended Access Attack vector: Local 2. Vulnerability Description The appliance contains multiple hardcoded passwords and hash digests. 3. Technical Description # grep "password" /usr/local/jetty/scripts/certs/openssl.cnf output_password = QDXTCDD2nJIU # grep "password" /usr/local/jetty/scripts/certs/openssl.cnf.org output_password = QDXTCDD2nJIU # grep "password" /usr/local/contego/scripts/certs/openssl.cnf output_password = QDXTCDD2nJIU # grep -i "password" /usr/local/jetty/etc/jetty-ssl.xml q4ROVdYYsV5M q4ROVdYYsV5M q4ROVdYYsV5M # grep -i "password" /usr/local/contego/scripts/indepth-backup.pl my $PASSWORD = "omgcontegorox"; # grep -i "password" /usr/local/contego/scripts/database/pgsql/flow.sql CREATE ROLE trigeo WITH CREATEDB LOGIN PASSWORD 'rootme'; CREATE ROLE contego WITH CREATEDB LOGIN PASSWORD 'reports'; //Empty Password # grep -i "password" /usr/local/contego/run/manager/toolconfig/toolstore.script CREATE USER SA PASSWORD DIGEST 'd41d8cd98f00b204e9800998ecf8427e' # grep -i "password" /usr/local/contego/run/indepth.conf InDepthMaintenPassword=tVyf+rPBho7S0WOd/29MPg\=\= InDepthManagerPassword=zhZi52gTxKbMKTzgdfBtMQ\=\= // cracks to "welcome" without quotes # grep -i "password" /usr/local/contego/run/tomcat/conf/tomcat-users.xml # grep -i "password" /usr/local/contego/run/system.conf archive.password=omgcontegorox backup.password=omgcontegorox logbackup.password=omgcontegorox # grep -i "password" /usr/local/contego/run/daemon-args.pl my $tls = "-Djavax.net.ssl.keyStore=/usr/local/contego/scripts/certs/.keystore -Djavax.net.ssl.keyStorePassword=q4ROVdYYsV5M -Djavax.net.ssl.trustStore=/usr/local/contego/scripts/certs/.truststore -Djavax.net.ssl.trustStorePassword=q4ROVdYYsV5M"; # grep -i "password" /usr/local/contego/run/manager.conf PSQLPassword=aNErCbdTvwaXxnusqVsNCQ\=\= ForensicPassword=BosMXyGmaT/ej+S3GU6fRQ\=\= # grep -i "password" /var/rawdata/cores/solr.conf query_password=tObzgVmmszuKGZ40W+PO/Q== //hardcoded md5 # grep -i "password" /var/alertdata/hsql/alertdb.script CREATE USER SA PASSWORD DIGEST 'fe42a787c40ad4110affab25e8bad4ae' CREATE USER "trigeo" PASSWORD DIGEST '54837f887425d1eda4d0ddcee6c2d3fc' 4. Mitigation and Remediation Recommendation The vendor has released a Hotfix to remediate this vulnerability. Hotfix and installation instructions are available at: https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/Log_and_Event_Manager_LEM_6-3-1_Hotfix_5_ReadMe http://downloads.solarwinds.com/solarwinds/Release/HotFix/SolarWinds-LEM-v6.3.1-Hotfix5.zip 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. and Joshua Hardin. 6. Disclosure Timeline 2017.04.06 - KoreLogic submits vulnerability report and PoC to Solarwinds contact. 2017.05.15 - Solarwinds notifies KoreLogic that a hotfix addressing this issue will be available at the end of June. 2017.05.18 - 30 business days have elapsed since this issue was reported. 2017.06.09 - 45 business days have elapsed since this issue was reported. 2017.06.29 - Solarwinds releases hotfix. 2017.07.06 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt -----BEGIN PGP SIGNATURE----- iQFOBAEBCAA4FiEE+cSrtp5jQJEtra70TWWaLA4ZiQwFAllei1gaHGRpc2Nsb3N1 cmVzQGtvcmVsb2dpYy5jb20ACgkQTWWaLA4ZiQzXNAf/Rx3IyZxBhNwHVrsBClEq 7PmZHhh7THwyr396uufTanrqox7lfYhSVjBvKSg0t7TOpHmZb/fT/iRqnhSxISUr Xv7G3CbKnAwhpz1ItHqF9mP6fHb0rhSyyGGoOSrZUn9U2RryAKszl1q3wpifaMM6 gZXx6JdsEfa0EjqgZJtEIxotywVUsty33jLR5Eu+umWg0Brr5PL65ng2U3k598/C ARdGiXrdJ/Lt5Fp9tR/ApL72M9Q5/7ugvcjMwGGqR80Lw69N3tUmRZ4Ss2CPVz0X gSxHR+OTRH6v1IP2xzrksb03PaOjXMKbYpAC4HUOVMJhaNgAfdeWzWAphKc+ULtE RQ== =cppk -----END PGP SIGNATURE-----