• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Defense > Solarwinds

Solarwinds

October 14, 2019 By Mike

How a Default SolarWinds Guest Account Can Facilitate Compromise – and How to Fix It

The Problem

SolarWinds is a leading provider of network monitoring and configuration management software. However, there’s a default feature on the SolarWinds Orion Network Performance Monitor tool that could be putting your organization at big risk.

The issue is a default guest account with no password. Since this monitoring tool is commonly seen on external networks, anyone can log in to the management interface from the internet without having to provide a password. With this access, the user can see sensitive network information. What’s more, many organizations do not know this account exists, and even those who have deleted the account may find that it has resurfaced after a SolarWinds software update. The Shodan search engine reveals there are over 1000 SolarWinds portals exposed externally.

Default account + no password + externally accessible = recipe for disaster.

The Risk

The SolarWinds tool is designed to track system health and manage device configurations. This is valuable information for both network engineers and attackers, so it’s something that you want to keep private. Through the guest account, however, this information is not only accessible but can facilitate a compromise.

We have exploited this vulnerability during penetration tests to do just that. Access to the Orion portal with the guest account provides an interactive dashboard of device names, locations, and security alerts. While this information would be hugely beneficial to either an external or internal attacker, the compromise can be pushed further through the use of the Network Configuration Manager (NCM) features. Using the NCM, an authenticated user would be able to pull down configurations from all devices associated with SolarWinds.

Figure 1: Access to configuration files in NCM

Device configurations are by nature sensitive, and they can provide another vector by which an attacker can gather information. Most importantly, these configuration files may contain device and network passwords. For Cisco devices, passwords and secrets can be protected with type 6 storage, which uses a secure AES key for encryption. However, other types, such as type 0 and type 7, can allow an attacker to easily recover these passwords in plaintext.

During our client’s penetration test, we downloaded configuration files, found that some contained passwords stored with weak encryption, and were able to calculate the cleartext passwords. Since these passwords were also reused on several Windows devices, we were able to authenticate to those devices and conduct further action that led to a full network compromise.

The Solution

Though the uncredentialed guest account is not a new feature, many organizations may not know it exists. We recently confirmed the presence of this guest account with three of our clients who were unaware of it or who thought it had been deleted.

Here’s how we helped our clients remediate the issue:

  1. Log in to the interface, and navigate to the user management pane. This should bring up the Account List.
  2. DISABLE – do not delete – the guest account. It may sound counter-intuitive, but deleting the account is not permanent. An update to the SolarWinds software package may recreate the guest account, even if it has previously been deleted (which is what happened to some of our clients). With the testing we’ve conducted, disabling the guest account should prevent it from reappearing.
  3. After future SolarWinds updates, verify that the guest account has remained inactive.


Figure 2: Where to disable guest account

Organizations who use SolarWinds need to check for what could be a critical exposure useful to both internal and external attackers. The SolarWinds tool may provide you valuable insight into your network, but make sure this information can’t be leaked to the world.

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Mike

Penetration tester and former educator.

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.