SSD Advisory – SolarWinds Multiple Vulnerabilities

Vulnerabilities Summary
SolarWinds Server and Application Monitor version 6.1.1 has been found to contain multiple vulnerabilities:

  1. Node Custom Properties Persistent XSS
  2. Audit Events Module Persistent XSS
  3. Custom “Data Source” and ‘Where Clause’ Persistent XSS
  4. “Build Dynamic Query Name” Persistent XSS
  5. Multiple Persistent XSS Vulnerabilities Via ‘Title’ field
  6. Application Monitor Template Persistent XSS
  7. NOC View Name Persistent XSS

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
We notified SolarWinds about the vulnerabilities back in August 2015, repeated attempts to re-establish contact and get some answers on the status of the patches for these vulnerabilities went unanswered. We have also contacted CERT in August 2015, but they were unable to get them to addresses these issues. At this time there is no solution or workaround for these vulnerabilities.

Vulnerabilities Details
Node Custom Properties Persistent XSS
The vulnerability can be found in ‘Add Custom Property

  1. From the Settings, click ‘Manage Nodes‘ in the ‘Node & Group Management module
  2. Click ‘Add Node‘, enter valid ip and then select ‘No Status‘, click Next
  3. Click Next, this should bring you to the ‘Change Properties‘ section
  4. Click the ‘Manage Custom Properties‘ link.
  5. Click ‘Add Custom Property‘, then click Next.

The ‘Name‘ and the ‘description‘ fields do not sanitize user input, allowing HTML and Javascript code injection. The injected code is then visible (once saved) when the attached node is edited.
Sample code used:

<script>alert(1)</script>

Audit Events Module Persistent XSS
The Audit Events Module (from the summary page) does not properly sanitize user generated input. If unauthorized code is injected into values that will be displayed when an event is generated, the Audit Events Module will display the code in it’s entirety.
Custom “Data Source” and ‘Where Clause’ Persistent XSS
When creating a custom data source, it is possible to enter data such that one field will break the code, and the other field will then execute the injected code. This has been identified in two locations, as follows:
Option 1:

  1. From the home screen, click ‘Custom Summary‘, and then edit the ‘Custom Table‘ module
  2. Click ‘select datasource
  3. Click add condition, change field to ‘description‘ and enter “><script>alert(1)</script>”
  4. Under Selection name, enter “><script>alert(2);</script>”

Option 2:

  1. From the home screen, click ‘Custom Summary‘, and then edit the ‘Custom Chart‘ module
  2. Click ‘select datasource
  3. Click add condition, change field to ‘description‘ and enter “><script>alert(1)</script>
  4. Under Selection name, enter “><script>alert(2);</script>

Breaking out of one entry point allows for the execution of the other. The injected code is then visible when the table/chart is edited.
“Build Dynamic Query Name” Persistent XSS
The vulnerability can be found in ‘add dynamic query

  1. From the home screen, click ‘groups‘, and then ‘manage groups‘ in the ‘all groups‘ module
  2. Click ‘add new group
  3. Enter a name and description and then click next
  4. Now you should be at the ‘add orion objects‘ screen
  5. Click ‘add dynamic query

The ‘dynamic query object name’ field does not properly sanitize user input, allowing for code injection. The injected code is then visible (once saved) by editing the query again.
Multiple Persistent XSS Vulnerabilities Via ‘Title‘ field
Several modules contain the ability to edit them and modify the title of the displayed module. This title field does not properly sanitize user input, and is thus subject to XSS attacks that are triggered when the module is edited again. Some of these modules will trigger an event that then displays the attack on the main summary screen.
Option 1:

  • From the home screen, click ‘groups‘, and then edit the ‘all groups‘ module

Option 2:

  • From the home screen, click ‘groups‘, and then edit the ‘Groups With Problems‘ module

Option 3:

  • From the home screen, click ‘groups‘, and then edit the ‘Map‘ module

Option 4:

  • From the home screen, click ‘groups’, and then edit the ‘Last 25 Group Events’ module

Option 5:

  • From the home screen, click ‘Virtualization’, and then edit the ‘Virtualization Assets’ module

Option 6:

  • From the home screen, click ‘Virtualization’, and then edit the ‘Virtualization Assets Summary’ module

All modules are affected for Groups, Virtualization, Applications/Exchange, Applications/SQL Server, Applications/IIS, Applications/Windows, Applications/Linux, and Applications/Active Directory
Sample code used:

<script>alert(1)</script>

Application Monitor Template Persistent XSS
The vulnerability can be found in ‘Create New Template

  1. From the home screen, click ‘Applications‘ tab, and then click ‘Active Directory
  2. Click ‘Manage Applications‘ in the ‘All Applications‘ Module
  3. Click ‘Application Monitor Templates
  4. Click ‘Create New Template

Sample code used:

<script>alert(1)</script>

NOC View Name Persistent XSS
The vulnerability can be found in ‘Create New Template

  1. From the home screen, click ‘Virtualization‘, and then click ‘Customize Page
  2. Scroll down and click ‘list of related NOC views
  3. Add or edit a NOC view. The name field does not sanitize user input, allowing for code injection

The injected code is then visible (once saved) either by editing the view again or when editing limitation page
Sample code used:

<script>alert(1)</script>