SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4
An improper access control vulnerability was discovered in the SolarWinds’ Log & Event Manager (LEM) management console (CMC). The CMC is a restricted environment providing functionality for upgrading or maintaining LEM appliances. This vulnerability allows an authenticated user to bypass restrictions imposed by the CMC and browse the underlying server’s filesystem, as well as read the contents of arbitrary files contained within.
The vendor has been notified and has issued patches.
To demonstrate the impact of this vulnerability, the assessment team browsed the filesystem of the SolarWinds appliance to locate and then read the file containing the admin user’s password hash.
By running the editbanner command in the LEM CLI, a nano session was opened, as shown below:
Figure 1 - nano in restricted mode, as called from SolarWinds LEM CLI
Although not displayed, the key bindings to read a file (^R), or to open the filesystem browser (^R, ^T) were still available, and using them resulted in the following display:
Figure 2 - Browsing SolarWinds server's filesystem in nano text editor
After navigating to the directory /usr/local/contego/run/manager, the file UserContextLibrary.xml was selected. Its contents, which included the administrative user’s password hash, were dumped into nano’s buffer:
Figure 3 - Administrative user's hash visible from nano editor
This proof of concept demonstrated that it is possible to escape the access controls implemented by the SolarWinds LEM CLI and the installed nano text editor to browse the underlying filesystem and read arbitrary files.