Submit a ticketCall us

Bridging the ITSM Divide
Integrated help desk and remote support software for faster resolution

Join us on Wednesday, November 29, 2017 at 11 a.m. CT, as we discuss the benefits of effectively integrating your help desk software with remote support solutions to help increase the efficiency of IT administration, improve communication, and decrease mean time to resolution (MTTR) for IT issues of all sizes. This directly impacts end-user satisfaction and your business’ bottom line. Register Now.

Home > Success Center > Network Performance Monitor (NPM) > SolarWinds Core vulnerability found by Nessus scan, ID: 83817

SolarWinds Core vulnerability found by Nessus scan, ID: 83817

Created by Daniel Polaske, last modified by MindTouch on Jun 23, 2016

Views: 214 Votes: 0 Revisions: 3

Overview

Vulnerablity issues with ID 83817 found when running a Nessus scan.

The remote host is running a version of SolarWinds Orion Core that is affected by multiple blind SQL injection vulnerabilities in the 'AccountManagement.asmx' script. A remote attacker, after being authenticated using the built-in default 'Guest' account, can exploit these vulnerabilities to execute arbitrary SQL commands. Note that the 'Guest' account needs to be enabled for exploitation of these vulnerabilities to occur.

For more information, see:

Authenticated Stacked SQL injection in core SolarWinds Orion service (CVE-2014-9566)

NPM v11.5.3 Release Notes

Environment

All versions prior to:

  • Network Performance Monitor 11.5
  • Server & Application Monitor 6.2
  • Web Performance Monitor 2.2
  • Storage Resource Monitor 6.0
  • User Device Tracker 3.2.1
  • Network Configuration Manager 7.4

Cause 

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in Network Performance Monitor (NPM) before 11.5, NetFlow Traffic Analyzer (NTA) before 4.1, Network Configuration Manager (NCM) before 7.3.2, IP Address Manager (IPAM) before 4.3, User Device Tracker (UDT) before 3.2, VoIP & Network Quality Manager (VNQM) before 4.2, Server & Application Manager (SAM) before 6.2, Web Performance Monitor (WPM) before 2.2, and possibly other Solarwinds products, allow remote authenticated users to execute arbitrary SQL commands via the (1) dir or (2) sort parameter to the (a) GetAccounts or (b) GetAccountGroups endpoint.

For more information, see:

Authenticated Stacked SQL injection in core SolarWinds Orion service (CVE-2014-9566)

Vulnerability Summary for CVE-2014-9566

Multiple SolarWinds Orion products CVE-2014-956 Multiple SQL Injection Vulnerabilities

Resolution

This vulnerability has been fixed in Orion Platform 2015.1, thus following product versions (and later) are secured:

  • Network Performance Monitor 11.5
  • Server & Application Monitor 6.2
  • Web Performance Monitor 2.2
  • Storage Resource Monitor 6.0
  • User Device Tracker 3.2.1
  • Network Configuration Manager 7.4
     

A hotfix for Orion Platform 2014.2.1 can be used as patch for the following products:

  • Network Performance Monitor 11.0.1
  • IP Address Manager 4.3
  • User Device Tracker 3.2
  • Network Configuration Manager 7.3.1
  • Engineer's Toolset 11.0.1
  • Patch Manager 2.1

 

NTA does not Orion Platform and is not vulnerable.

Since Orion Platform is a shared component of multiple products, please take note of the following:

  • Any product with Orion Platform 2015.1 mentioned above is installed on the same machine, Core is upgraded and vulnerability is fixed!
  • Any product with Orion Platform 2014.2.1 mentioned above is installed on the same machine, Core is upgraded and hotfix can be applied.
  • Orion Platform version can be found in the footer of Orion Web Console page (e.g. "Orion Platform 2015.1.0") or in "Add or Remove programs" section (e.g. "SolarWinds Orion Core Services 2015.1.0").

 

For example: Customer has installed NPM 11.5 with WPM 2.1. While WPM 2.1 itself might be vulnerable, the combination with NPM 11.5 is secure.

 

Last modified

Tags

Classifications

Public