Advisory Overview
The Center for Internet Security has announced that multiple vulnerabilities have been discovered in SolarWinds N-Central. The SolarWinds N-Central vulnerabilities are not associated with the SolarWinds Orion security incident. SolarWinds has released patches for the vulnerabilities and all users are advised to update as soon as possible.
Technical detail and additional information
What is the threat?
Multiple vulnerabilities were reported in SolarWinds N-Central 12.3.0.670. Security researchers found that successful exploitation of two of these vulnerabilities could allow for remote code execution if used in conjunction. These vulnerabilities vary both in their severity and potential impact, but all of them have been patched at this time. The vulnerabilities are as follows:
• An OS command-injection vulnerability due to traversal issue (CVE-2020-25617). Can be used in conjunction with CVE-2020-25622 for a one-click root RCE attack chain.
• A local privilege escalation vulnerability (CVE-2020-25618).
• An unauthorized access vulnerability due to built-in support and admin accounts with default credentials (CVE-2020-25620).
• An unauthorized access vulnerability due to an authentication mechanism in the local Postgres database (CVE-2020-25621).
• A CSRF vulnerability in N-Central Admin Console (CVE-2020-25622). Can be used in conjunction with CVE-2020-25617 for a one-click root RCE attack chain.
What is the exposure or risk?
SolarWinds is a popular remote monitoring and management automation platform that many MSP organizations utilize to monitor and maintain IT systems. MSPs are a popular and lucrative target for attackers attempting to exploit vulnerabilities as a successful exploit, which can lead to a much larger compromise if the MSP themselves are compromised. As reported by the Center for Internet Security, successful exploitation could allow for remote code execution and “depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights” (CISecurity).
There are currently no reports of these vulnerabilities being exploited in the wild.
What are the recommendations?
SolarWinds recommends updating to N-central 2020.1 HF2, as it addresses the vulnerabilities.
References:
For more in-depth information about the recommendations, please visit the following links:
- https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-solarwinds-n-central-could-allow-for-remote-code-execution_2020-170/#:~:text=Multiple%20Vulnerabilities%20have%20been%20discovered%20in%20SolarWinds%20N%2DCentral%2C%20two,CVE%2D2020%2D25617
- https://documentation.solarwindsmsp.com/N-central/Rel_2020-1-2_HF2/N-central_2020-1-2_HF2_ReleaseNotes_en.pdf
- https://insinuator.net/2020/12/security-advisories-for-solarwinds-n-central/
If you have any questions, please contact our Security Operations Center.