Author: Fabian Ullrich

Misc
by Fabian Ullrich

Whitepaper Endpoint Management & Monitoring Solutions Released

Over the course of the last 2 years we performed vulnerability research on several Endpoint Management & Monitoring Solutions. The results were already partially presented in security advisories which were published on this blog during the last two years. The advisories can be found here:

We also recently presented the results on Troopers 2022. Now the results have been published in a more in-depth manner in the form of a technical whitepaper. The whitepaper can be found here.

Continue reading
Breaking, Misc
by Fabian Ullrich

Security Advisories for Broadcom Automic Automation (UC4)

Updated on 20.06.22 with CVEs and link to Broadcom Security Notice.

In April 2021 we reported seven vulnerabilities in Broadcom Automic Automation (UC4) 12.3.5+hf.3. CVE IDs were assigned on 16.06.22, the corresponding Broadcom Security Notice can be found here.

The vulnerabilities have been found in the course of a research project, in which we analyzed the security of multiple Endpoint Management solutions. Similar vulnerabilities have been found in other solutions as we pointed out in previous posts about the Ivanti DSM Suite, Nagios XI, and Solarwinds N-Central.  The outcome of the research project will be published as a whitepaper and a conference talk at Troopers 2022.

In this blog post we will provide a short description of the vulnerabilities outlining the impact. More technical details will be published in the whitepaper and conference talk. All vulnerabilities were found in Broadcom Automic Automation (UC4) version 12.3.5+hf.3.

Continue reading “Security Advisories for Broadcom Automic Automation (UC4)”

Continue reading
Misc
by Fabian Ullrich

Security Advisories for SolarWinds N-Central

In August 2020 we reported six vulnerabilities in SolarWinds N-Central 12.3.0.670 to the vendor.
The following CVE IDs were assigned to the issues :
  • CVE-2020-25617: RCE in N-Central Administration Console (AdvancedScripts Endpoint)
  • CVE-2020-25618: Local Privilege Escalation from nable User to root (N-Central Backend Server)
  • CVE-2020-25619: Access to Internal Services through SSH Port Forwarding (N-Central Backend Server)
  • CVE-2020-25620: SolarWinds Support Account with Default Credentials
  • CVE-2020-25621: Local Database does not require Authentication (N-Central Backend Server)
  • CVE-2020-25622: CSRF in N-Central Administration Console (AdvancedScripts Endpoint)
The vulnerabilities have been found in the course of an extensive research project, in which we analyze the security of multiple Unified Endpoint Management (UEM) solutions. Similar vulnerabilities have been found in other solutions as we pointed out in previous posts about the Ivanti DSM Suite and Nagios XI. The final outcome of the research project will be published as a whitepaper and possibly conference talk as soon as the project including all disclosure processes concludes.
We will provide a short description of the CVEs outlining the impact of the vulnerabilities. Technical details will be published in a whitepaper as mentioned above. All six vulnerabilities have been verified for SolarWinds N-Central 12.3.0.670.
Continue reading
Misc
by Fabian Ullrich

Security Advisories for Nagios XI

In June 2020 we reported three vulnerabilities in Nagios XI 5.7.1 to the vendor.
The following CVE IDs were assigned to the issues :

  •  CVE-2020-15901: Command Injection in Nagios XI web interface (RCE)
  •  CVE-2020-15902: Cross Site Scripting (XSS)
  •  CVE-2020-15903: Reserved, details will be given on vendor fix

CVE-2020-15901 and CVE-2020-15902 have meanwhile been fixed in version 5.7.2 according to the changelog on the Nagios website (https://www.nagios.com/downloads/nagios-xi/change-log/). CVE-2020-15903 is currently being worked on by the vendor and will probably be fixed in the near future.

Continue reading “Security Advisories for Nagios XI”

Continue reading
Misc
by Fabian Ullrich

Security Advisories for Ivanti DSM Suite

From the end of 2019 on, we reported two critical vulnerabilities in the Ivanti DSM Suite to the vendor. The following CVE IDs were assigned to the issues (but note that they have a status of RESERVED, i.e. titles and descriptions may change in the future):

  • CVE-2020-12441: Denial-of-Service (DoS) in Ivanti Service Manager HEAT Remote Control 7.4
  • CVE-2020-13793: Unsafe storage of AD credentials in Ivanti DSM netinst 5.1

The vulnerabilities have meanwhile been fixed and an updated software version can be downloaded here. Continue reading “Security Advisories for Ivanti DSM Suite”

Continue reading