ACTIVE-2019-005.md

ACTIVE-2019-005: SolarWinds Local Privilege Escalation

Vulnerability Type:

Privilege Escalation

Vendors:

SolarWinds Worldwide, LLC

CVE ID:

CVE-2019-9546

Affected Products:

• SolarWinds IP Address Manager v4.7.0
• SolarWinds Log Manager for Orion v1.1.0
• SolarWinds Network Configuration Manager v7.8
• SolarWinds Orion Network Performance Monitor v12.3
• SolarWinds Orion Network Traffic Analyzer v4.4
• SolarWinds Server & Application Monitor v6.7
• SolarWinds Server Configuration Monitor v1.0
• SolarWinds Storage Resource Monitor v6.7
• SolarWinds User Device Tracker v3.3.1
• SolarWinds Virtualization Manager v8.3
• SolarWinds VoIP and Network Quality Manager v4.5
• SolarWinds Web Performance Monitor v2.2.2
• SolarWinds Patch Manager v2.1
• Access Rights Manager 8MAN v9.1.181.0

Summary:

Multiple SolarWinds products suffer from local privilege escalation due to improper settings of erl.exe service, meaning the process current directory is set to C:\ProgramData\SolarWinds\Orion\RabbitMQ\. Moreover, the service execute the command C:\Windows\system32\cmd.exe /c handle.exe /accepteula -s -p 1180 2> nul as NT AUTHORITY\SYSTEM every five seconds, naturally the process will first try to run the non-existing handle.exe binary from the current directory which happens to be writable by standard users.

Mitigation:

Apply Orion Platform 2018.4 Hotfix 2 or higher.

Credit:

This vulnerability was found by Hashim Jawad of ACTIVELabs.

References:

• https://support.solarwinds.com/SuccessCenter/s/article/CVE-2019-9546-Orion-Platform-Vulnerability
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9546
• https://nvd.nist.gov/vuln/detail/CVE-2019-9546

Disclosure Timeline:

• 02-19-19: ACTIVELabs Sent security vulnerability report to SolarWinds PSIRT team
• 02-20-19: PSIRT team acknowledged report and stated that they will investigate the issue
• 02-27-19: PSIRT team communicated that the security vulnerability has been addressed
• 02-27-19: ACTIVELabs requested more information
• 02-28-19: PSIRT team confirmed that a patch has been included/released in HotFix 2 version
• 03-01-19: ACTIVELabs requested CVE from MITRE
• 03-01-19: CVE-2019-9546 assigned
• 03-01-19: Notified PSIRT team about CVE assignment and a blog post will be published in the near future
• 03-04-19: PSIRT team requested to delay blog post release until proper knowledge base article can be prepared/published
• 03-04-19: Notified PSIRT team that ACTIVELabs will hold off on the blog post until further notice
• 03-06-19: PSIRT team informed ACTIVELabs that a knowledge base article has been released
• 04-30-19: ACTIVELabs publishes this advisory