Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

ACTIVE-2019-005: SolarWinds Local Privilege Escalation

Vulnerability Type:

Privilege Escalation

Vendors:

SolarWinds Worldwide, LLC

CVE ID:

CVE-2019-9546

Affected Products:

  • SolarWinds IP Address Manager v4.7.0
  • SolarWinds Log Manager for Orion v1.1.0
  • SolarWinds Network Configuration Manager v7.8
  • SolarWinds Orion Network Performance Monitor v12.3
  • SolarWinds Orion Network Traffic Analyzer v4.4
  • SolarWinds Server & Application Monitor v6.7
  • SolarWinds Server Configuration Monitor v1.0
  • SolarWinds Storage Resource Monitor v6.7
  • SolarWinds User Device Tracker v3.3.1
  • SolarWinds Virtualization Manager v8.3
  • SolarWinds VoIP and Network Quality Manager v4.5
  • SolarWinds Web Performance Monitor v2.2.2
  • SolarWinds Patch Manager v2.1
  • Access Rights Manager 8MAN v9.1.181.0

Summary:

Multiple SolarWinds products suffer from local privilege escalation due to improper settings of erl.exe service, meaning the process current directory is set to C:\ProgramData\SolarWinds\Orion\RabbitMQ\. Moreover, the service execute the command C:\Windows\system32\cmd.exe /c handle.exe /accepteula -s -p 1180 2> nul as NT AUTHORITY\SYSTEM every five seconds, naturally the process will first try to run the non-existing handle.exe binary from the current directory which happens to be writable by standard users.

Mitigation:

Apply Orion Platform 2018.4 Hotfix 2 or higher.

Credit:

This vulnerability was found by Hashim Jawad of ACTIVELabs.

References:

Disclosure Timeline:

  • 02-19-19: ACTIVELabs Sent security vulnerability report to SolarWinds PSIRT team
  • 02-20-19: PSIRT team acknowledged report and stated that they will investigate the issue
  • 02-27-19: PSIRT team communicated that the security vulnerability has been addressed
  • 02-27-19: ACTIVELabs requested more information
  • 02-28-19: PSIRT team confirmed that a patch has been included/released in HotFix 2 version
  • 03-01-19: ACTIVELabs requested CVE from MITRE
  • 03-01-19: CVE-2019-9546 assigned
  • 03-01-19: Notified PSIRT team about CVE assignment and a blog post will be published in the near future
  • 03-04-19: PSIRT team requested to delay blog post release until proper knowledge base article can be prepared/published
  • 03-04-19: Notified PSIRT team that ACTIVELabs will hold off on the blog post until further notice
  • 03-06-19: PSIRT team informed ACTIVELabs that a knowledge base article has been released
  • 04-30-19: ACTIVELabs publishes this advisory