Executive Summary

Summary
Title N-Able RSMWinService contains hard coded security constants allowing decryption of domain administrator password
Informations
Name VU#912036 First vendor Publication 2015-07-20
Vendor VU-CERT Last vendor Modification 2015-07-20
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:P/I:N/A:N)
Cvss Base Score 4 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#912036

N-Able RSMWinService contains hard coded security constants allowing decryption of domain administrator password

Original Release date: 20 Jul 2015 | Last revised: 20 Jul 2015

Overview

SolarWinds N-Able N-Central is an agent-based enterprise support and management solution. N-Able N-Central contains several hard-coded encryption constants in the web interface that allow decryption of the password when combined.

Description

CWE-547: Use of Hard-coded, Security-relevant Constants

N-Able N-Central's RSM service stores the N-Able domain administrator account password in an encrypted (AES128) format. According to the reporter, however, the encrypted password is accessible by any authenticated local or remote user from within from the RSM web page source. The credentials are also available in an encrypted format via local RSM configuration files accessible by any local user with rights to browse program files. The encryption keys as well as other parameters needed for decryption are hard-coded and may be extracted from the N-Able RSM software stored on the local users system. An attacker can use this information to decrypt and obtain the domain administrator password used by the N-Able software.

The reporter states that N-Able N-Central version 9.5.0 is vulnerable to these problems, and version 9.0 through 9.4 may also be vulnerable.

The CERT/CC has been unable to confirm these vulnerabilities with SolarWinds.

Impact

According to the reporter, a remote attacker with domain user credentials or access to RSM files on an installed system can obtain domain administrator access.

Solution

Apply an Update

According to the reporter, N-Able Support Manager Build 178 and N-Able N-Central Agent version 9.5.1.4514 or above, or 10.0.0.1722 or above, have addressed remote access to this issue. Users are encouraged to update N-Able software as soon as possible.

The CERT/CC has been unable to confirm with SolarWinds that this update fully addresses these issues.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
SOLARWINDSAffected05 Jun 201501 Jul 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base7.7AV:A/AC:L/Au:S/C:C/I:C/A:C
Temporal6.6E:POC/RL:U/RC:UR
Environmental4.9CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • None

Credit

Thanks to Gary Blosser for reporting this vulnerability to us.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:Unknown
  • Date Public:20 Jul 2015
  • Date First Published:20 Jul 2015
  • Date Last Updated:20 Jul 2015
  • Document Revision:43

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/912036

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-200 Information Exposure

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2015-07-22 21:28:39
  • Multiple Updates
2015-07-21 21:32:33
  • Multiple Updates
2015-07-21 00:25:44
  • First insertion