Solarwinds LEM 6.3.1 Hardcoded Credentials Vulnerability

🗓️ 07 Jul 2017 00:00:00Reported by Matthew BerginType
zdt🔗 0day.today👁 39 Views
Solarwinds LEM 6.3.1 Hardcoded Credentials Vulnerability in Log and Event Manager Virtual Appliance with Local Attack Vecto
Title: Solarwinds LEM Hardcoded Credentials
Advisory ID: KL-001-2017-015
Publication Date: 2017.07.06
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-015.txt


1. Vulnerability Details

     Affected Vendor: Solarwinds
     Affected Product: Log and Event Manager Virtual Appliance
     Affected Version: v6.3.1
     Platform: Embedded Linux
     CWE Classification: CWE-798: Use of Hard-coded Credentials
     Impact: Unintended Access
     Attack vector: Local

2. Vulnerability Description

     The appliance contains multiple hardcoded passwords and hash
     digests.

3. Technical Description

     # grep "password" /usr/local/jetty/scripts/certs/openssl.cnf
     output_password      = QDXTCDD2nJIU

     # grep "password" /usr/local/jetty/scripts/certs/openssl.cnf.org
     output_password      = QDXTCDD2nJIU

     # grep "password" /usr/local/contego/scripts/certs/openssl.cnf
     output_password      = QDXTCDD2nJIU

     # grep -i "password" /usr/local/jetty/etc/jetty-ssl.xml
             <Set name="password">q4ROVdYYsV5M</Set>
             <Set name="keyPassword">q4ROVdYYsV5M</Set>
             <Set name="trustPassword">q4ROVdYYsV5M</Set>

     # grep -i "password" /usr/local/contego/scripts/indepth-backup.pl
     my $PASSWORD = "omgcontegorox";

     # grep -i "password" /usr/local/contego/scripts/database/pgsql/flow.sql
     CREATE ROLE trigeo      WITH CREATEDB LOGIN PASSWORD 'rootme';
     CREATE ROLE contego     WITH CREATEDB LOGIN PASSWORD 'reports';

     //Empty Password
     # grep -i "password" /usr/local/contego/run/manager/toolconfig/toolstore.script
     CREATE USER SA PASSWORD DIGEST 'd41d8cd98f00b204e9800998ecf8427e'

     # grep -i "password" /usr/local/contego/run/indepth.conf
     InDepthMaintenPassword=tVyf+rPBho7S0WOd/29MPg\=\=
     InDepthManagerPassword=zhZi52gTxKbMKTzgdfBtMQ\=\=

     // cracks to "welcome" without quotes
     # grep -i "password" /usr/local/contego/run/tomcat/conf/tomcat-users.xml
         <user username="manager" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="manager"/>
             <user username="administrator" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="admin"/>
             <user username="auditor" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="audit"/>
             <user username="monitor" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="alerts_only"/>
             <user username="contact" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="notify_only"/>
             <user username="user" password="c0b137fe2d792459f26ff763cce44574a5b5ab03" roles="user"/>

     # grep -i "password" /usr/local/contego/run/system.conf
     archive.password=omgcontegorox
     backup.password=omgcontegorox
     logbackup.password=omgcontegorox

     # grep -i "password" /usr/local/contego/run/daemon-args.pl
     my $tls = "-Djavax.net.ssl.keyStore=/usr/local/contego/scripts/certs/.keystore
-Djavax.net.ssl.keyStorePassword=q4ROVdYYsV5M -Djavax.net.ssl.trustStore=/usr/local/contego/scripts/certs/.truststore
-Djavax.net.ssl.trustStorePassword=q4ROVdYYsV5M";

     # grep -i "password" /usr/local/contego/run/manager.conf
     PSQLPassword=aNErCbdTvwaXxnusqVsNCQ\=\=
     ForensicPassword=BosMXyGmaT/ej+S3GU6fRQ\=\=

     # grep -i "password" /var/rawdata/cores/solr.conf
     query_password=tObzgVmmszuKGZ40W+PO/Q==

     //hardcoded md5
     # grep -i "password" /var/alertdata/hsql/alertdb.script
     CREATE USER SA PASSWORD DIGEST 'fe42a787c40ad4110affab25e8bad4ae'
     CREATE USER "trigeo" PASSWORD DIGEST '54837f887425d1eda4d0ddcee6c2d3fc'

4. Mitigation and Remediation Recommendation

     The vendor has released a Hotfix to remediate this
     vulnerability. Hotfix and installation instructions are
     available at:

     https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/Log_and_Event_Manager_LEM_6-3-1_Hotfix_5_ReadMe
     http://downloads.solarwinds.com/solarwinds/Release/HotFix/SolarWinds-LEM-v6.3.1-Hotfix5.zip

5. Credit

     This vulnerability was discovered by Matt Bergin (@thatguylevel)
     of KoreLogic, Inc. and Joshua Hardin.

6. Disclosure Timeline

     2017.04.06 - KoreLogic submits vulnerability report and PoC to
                  Solarwinds contact.
     2017.05.15 - Solarwinds notifies KoreLogic that a hotfix
                  addressing this issue will be available at the end
                  of June.
     2017.05.18 - 30 business days have elapsed since this issue was
                  reported.
     2017.06.09 - 45 business days have elapsed since this issue was
                  reported.
     2017.06.29 - Solarwinds releases hotfix.
     2017.07.06 - KoreLogic public disclosure.

7. Proof of Concept

     See 3. Technical Description


The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

#  0day.today [2018-02-09]  #
07 Jul 2017 00:00Current
6.5Medium risk
Vulners AI Score6.5