In August 2020 we reported six vulnerabilities in SolarWinds N-Central 126.96.36.1990 to the vendor.
The following CVE IDs were assigned to the issues :
- CVE-2020-25617: RCE in N-Central Administration Console (AdvancedScripts Endpoint)
- CVE-2020-25618: Local Privilege Escalation from nable User to root (N-Central Backend Server)
- CVE-2020-25619: Access to Internal Services through SSH Port Forwarding (N-Central Backend Server)
- CVE-2020-25620: SolarWinds Support Account with Default Credentials
- CVE-2020-25621: Local Database does not require Authentication (N-Central Backend Server)
- CVE-2020-25622: CSRF in N-Central Administration Console (AdvancedScripts Endpoint)
The vulnerabilities have been found in the course of an extensive research project, in which we analyze the security of multiple Unified Endpoint Management (UEM) solutions. Similar vulnerabilities have been found in other solutions as we pointed out in previous posts about the Ivanti DSM Suite and Nagios XI. The final outcome of the research project will be published as a whitepaper and possibly conference talk as soon as the project including all disclosure processes concludes.
We will provide a short description of the CVEs outlining the impact of the vulnerabilities. Technical details will be published in a whitepaper as mentioned above. All six vulnerabilities have been verified for SolarWinds N-Central 188.8.131.520.
The N-Central Administration Console (NAC) is a web interface on the backend server and offers administrative control for high-privileged users. The ‘AdvancedScripts’ endpoint of this interface allows the execution of shell scripts inside predefined folders on the server. Due to a path traversal it is possible to execute arbitrary shell commands as the root user on the N-Central backend. To exploit this vulnerability an attacker needs to be authenticated to the NAC.
The main web interface of the N-Central backend executes with the privileges of the ‘nable’ user. While this is not an admin user, it is still allowed to run certain scripts with root privileges through a corresponding entry in the sudoers file. Without further authentication, the ‘nable’ user can execute a ‘nable_wrapper.pl’ script as root. The script is a wrapper for several other scripts and basic shell commands of which many can be exploited to execute arbitrary code in root context.
The N-Central backend uses SSH port forwarding to establish connections between agents and authorized users which intend to access the agent machine. Both the agents and the users are provided with a temporary SSH key pair for this purpose. The SSH connection is restricted to port forwarding and cannot be used to execute commands on the backend. It is however possible to create port forwardings for localhost (127.0.0.1) which can be abused to bypass the local firewall and access internal services of the backend server. Amongst others this includes the local database which can be accessed without authentication (see CVE-2020-25621).
The SolarWinds support account (firstname.lastname@example.org) and the built-in admin (email@example.com) are active by default on all installations and have fixed credentials. The support account can be used to log into the N-Central Administrative Console (NAC) and the regular web interface. The admin account is only able to log into the NAC. If the accounts are not deactivated by the administrator an attacker can abuse the default credentials to access the web interface and possibly also the NAC.
The local Postgres database on the N-Central backend does not require authentication and contains highly sensitive data such as private keys, MD5 password hashes, and also plaintext passwords. Because of the local firewall of the backend, the database is usually not accessible. However, if an attacker can find a bypass for the firewall (see CVE-2020-25619) the unauthenticated database becomes a valuable target leading to a compromised backend.
The ‘AdvancedScripts’ endpoint in the NAC is not protected against CSRF attacks. This vulnerability can be exploited in combination with CVE-2020-25617 resulting in a one-click root RCE attack chain.
The vulnerabilities described herein can be combined to create multiple critical attack paths which compromise the SolarWinds N-Central backend:
– The unauthenticated database (CVE-2020-25621) can be accessed through the SSH port forwarding feature (CVE-2020-25619) if the attacker has access to an agent or N-Central user.
– The CSRF (CVE-2020-25622) and the authenticated RCE in the NAC (CVE-2020-25617) can be combined to achieve the above mentioned one-click root RCE.
– Similarly, the attacker could use the default credentials of the support user (CVE-2020-25620) to authenticate to the NAC and exploit the root RCE (CVE-2020-25617).
The issues regarding the NAC should be considered especially critical as SolarWinds states in their security whitepaper  that the NAC must be exposed to the Internet:
“HTTPS – used for access to the SolarWinds N-central Administration Console (NAC). The firewall must be configured to allow access from the Internet to this port on the SolarWinds N-central server”
We highly recommend immediately updating to the newest version. All of the above mentioned vulnerabilities have been fixed in SolarWinds N-Central 2020.1 HF2.
clou & mantz
This work has been conducted on behalf of the ERNW Research GmbH.
- 05.08.2020: Initial communication with vendor and start of 90 day disclosure period.
- 14.08.2020: Vendor validates vulnerabilities and promises to patch.
- 17.09.2020: CVEs are assigned.
- 29.10.2020: Vulnerabilities are fixed in N-central 2020.1 HF2.
- 10.12.2020: Disclosure of the vulnerability information by ERNW.
SolarWinds MSP was very cooperative and provided regular updates during the responsible disclosure process.