How a Default SolarWinds Guest Account Can Facilitate Compromise – and How to Fix It
The Problem
SolarWinds is a leading provider of network monitoring and configuration management software. However, there’s a default feature on the SolarWinds Orion Network Performance Monitor tool that could be putting your organization at big risk.
The issue is a default guest account with no password. Since this monitoring tool is commonly seen on external networks, anyone can log in to the management interface from the internet without having to provide a password. With this access, the user can see sensitive network information. What’s more, many organizations do not know this account exists, and even those who have deleted the account may find that it has resurfaced after a SolarWinds software update. The Shodan search engine reveals there are over 1000 SolarWinds portals exposed externally.
Default account + no password + externally accessible = recipe for disaster.
The Risk
The SolarWinds tool is designed to track system health and manage device configurations. This is valuable information for both network engineers and attackers, so it’s something that you want to keep private. Through the guest account, however, this information is not only accessible but can facilitate a compromise.
We have exploited this vulnerability during penetration tests to do just that. Access to the Orion portal with the guest account provides an interactive dashboard of device names, locations, and security alerts. While this information would be hugely beneficial to either an external or internal attacker, the compromise can be pushed further through the use of the Network Configuration Manager (NCM) features. Using the NCM, an authenticated user would be able to pull down configurations from all devices associated with SolarWinds.
Figure 1: Access to configuration files in NCM
Device configurations are by nature sensitive, and they can provide another vector by which an attacker can gather information. Most importantly, these configuration files may contain device and network passwords. For Cisco devices, passwords and secrets can be protected with type 6 storage, which uses a secure AES key for encryption. However, other types, such as type 0 and type 7, can allow an attacker to easily recover these passwords in plaintext.
During our client’s penetration test, we downloaded configuration files, found that some contained passwords stored with weak encryption, and were able to calculate the cleartext passwords. Since these passwords were also reused on several Windows devices, we were able to authenticate to those devices and conduct further action that led to a full network compromise.
The Solution
Though the uncredentialed guest account is not a new feature, many organizations may not know it exists. We recently confirmed the presence of this guest account with three of our clients who were unaware of it or who thought it had been deleted.
Here’s how we helped our clients remediate the issue:
- Log in to the interface, and navigate to the user management pane. This should bring up the Account List.
- DISABLE – do not delete – the guest account. It may sound counter-intuitive, but deleting the account is not permanent. An update to the SolarWinds software package may recreate the guest account, even if it has previously been deleted (which is what happened to some of our clients). With the testing we’ve conducted, disabling the guest account should prevent it from reappearing.
- After future SolarWinds updates, verify that the guest account has remained inactive.
Figure 2: Where to disable guest account
Organizations who use SolarWinds need to check for what could be a critical exposure useful to both internal and external attackers. The SolarWinds tool may provide you valuable insight into your network, but make sure this information can’t be leaked to the world.