N-Able RSMWinService contains hard coded security constants allowing decryption of domain administrator password

ID VU:912036
Type cert
Reporter CERT
Modified 2015-07-20T19:18:00



SolarWinds N-Able N-Central is an agent-based enterprise support and management solution. N-Able N-Central contains several hard-coded encryption constants in the web interface that allow decryption of the password when combined.


CWE-547: Use of Hard-coded, Security-relevant Constants

N-Able N-Central's RSM service stores the N-Able domain administrator account password in an encrypted (AES128) format. According to the reporter, however, the encrypted password is accessible by any authenticated local or remote user from within from the RSM web page source. The credentials are also available in an encrypted format via local RSM configuration files accessible by any local user with rights to browse program files. The encryption keys as well as other parameters needed for decryption are hard-coded and may be extracted from the N-Able RSM software stored on the local users system. An attacker can use this information to decrypt and obtain the domain administrator password used by the N-Able software.

The reporter states that N-Able N-Central version 9.5.0 is vulnerable to these problems, and version 9.0 through 9.4 may also be vulnerable.

The CERT/CC has been unable to confirm these vulnerabilities with SolarWinds.


According to the reporter, a remote attacker with domain user credentials or access to RSM files on an installed system can obtain domain administrator access.


Apply an Update

According to the reporter, N-Able Support Manager Build 178 and N-Able N-Central Agent version or above, or or above, have addressed remote access to this issue. Users are encouraged to update N-Able software as soon as possible.

The CERT/CC has been unable to confirm with SolarWinds that this update fully addresses these issues.

Vendor Information


Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.


Notified: June 05, 2015 Updated: July 01, 2015



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group | Score | Vector
Base | 7.7 | AV:A/AC:L/Au:S/C:C/I:C/A:C
Temporal | 6.6 | E:POC/RL:U/RC:UR
Environmental | 4.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND



Thanks to Gary Blosser for reporting this vulnerability to us.

This document was written by Garret Wassermann.

Other Information

CVE IDs: | None
Date Public: | 2015-07-20
Date First Published: | 2015-07-20
Date Last Updated: | 2015-07-20 19:18 UTC
Document Revision: | 45