![]() ![]() It’s pretty hard to miss that warning shield showing that the queue, like all the queues, is unauthenticated. “Figure 6: security is not configured on the queues” See if you can pinpoint it in Figure 6 below. “Figure 5: SolarWinds Orion Collector uses MSMQ heavily”Īs you can see, there is a huge list of private queues, and literally every one of them has a specific problem. What about getting complete control over SolarWinds remotely without having any credentials? I mentioned MSMQ technology earlier, so the next thing I tried was to open the Computer Management console and see what’s going on under the Message Queuing, as you can see in Figure 5. SolarWinds Orion Platform Vulnerability (CVE-2021-25274): Messages Queued, Processed, Deserialized and ExploitedĪlright, the previous vulnerability requires local access to the server – even if that access is unprivileged. This concludes the section about configuration file insecure storage. “Figure 4: After using a small decryption utility, we can connect to the database”Īs mentioned earlier, I performed my tests on the trial version and when verifying the patch noticed that while it secures the SWNetPerfMon.DB file it does not secure the SWNetPerfMon.DB.Eval found in the trial. From here, one can steal information or add a new admin-level user to be used inside SolarWinds Orion products. The next step is to connect to the Microsoft SQL Server using the recovered account, and at this point, we have complete control over the SOLARWINDS_ORION database. We are withholding all Proof of Concept (PoC) code for these vulnerabilities to give users a little more time to patch, but you’ll be able to test this out for yourselves next week on Feb. In the end, unprivileged users who can log in to the box locally or via RDP will be able to run decrypting code and get a cleartext password for the SolarWindsOrionDatabaseUser. I spent some time finding code that decrypts the password but essentially, it’s a one-liner. Inside this file, we find credentials for the SolarWinds backend database called SOLARWINDS_ORION: “Figure 3: Inside the configuration file are database credentials for the ORION backend” “Figure 2: Authenticated users can read the file content” ![]() Permissions are generously granted to all locally authenticated users, as shown in Figure 2. “ Figure 1: Configuration file with ORION backend database credentials“ After simple grep across the files installed by the product, one file was found (well, actually two, but more on that later), as shown in Figure 1. My first step was to check how well SolarWinds secured the credentials for the backend database since database security is a research area we care about very much. After a few more steps – voilà – we have the product up and running. Next, the installer suggested installing Microsoft SQL Server Express for the product backend database management, but I could have opted to use an existing Microsoft SQL Server instance too. This immediately grabbed my attention since, by default, this technology is not installed on modern Windows systems. As a part of the installation, there is a setup of Microsoft Message Queue (MSMQ), which has been around for more than two decades. I picked User Device Tracker and installed it on a vanilla Windows Server 2019 virtual machine. SolarWinds offers trial versions for download. In light of the recent SolarWinds supply chain attack, I decided to take a quick look at SolarWinds products based on the Orion framework. SolarWinds Orion Platform Vulnerability (CVE-2021-25275): Database Credentials for Everyone We have purposely left out specific Proof of Concept (PoC) code in this post in order to give SolarWinds users a longer margin to patch but we will post an update to this blog that includes the PoC code on Feb. ![]() However, given the criticality of these issues, we recommend that affected users patch as soon as possible. To the best of Trustwave’s knowledge, none of the vulnerabilities were exploited during the recent SolarWinds attacks or in any “in the wild” attacks. All three are severe bugs with the most critical one allowing remote code execution with high privileges. In this blog, I will be discussing three security issues found in several SolarWinds products. By Martin Rakhmanov, Security Research Manager, SpiderLabs at Trustwave ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |