CVE-2018-13442: SolarWinds NPM SQL Injection

A SQL injection vulnerability has been discovered in SolarWinds’ Network Performance Monitor (NPM).  This vulnerability has been designated CVE-2018-13442.

SolarWinds NPM is one of the most widely used network monitoring tools available in the current market. It provides features such as availability monitoring, network discovery, health status, performance monitoring, and bandwidth analysis in order to help reduce network outages and improve overall performance.

Affected Versions

The SQL injection described by CVE-2018-13442 exists in Network Performance Monitor (NPM) versions 12.3 and prior.

Details

The SQL injection vulnerability is exploited by injecting queries to the TriggeringObjectEntityNames parameter in a POST request to /api/ActiveAlertsOnThisEntity/GetActiveAlerts.

This vulnerability allows a would-be threat actor the ability to inject code to the application’s database, which would provide access to all of the data housed within. This would include the login credentials for SolarWinds NPM, which could open up the possibility for privilege escalation in the event of administrator password hashes being cracked. Depending on the configuration of the database, such as the privilege level of the database user, access to the underlying file system or the achievement of command execution may also be possible. Authentication to SolarWinds NPM is required in order to exploit this vulnerability, and as registration is approved by administrators, a user account would first have to be compromised.

Patch

SolarWinds have acknowledged the existence of the vulnerability and have confirmed they have been able to replicate it. A fix was issued on the 2nd of August, 2018 as part of Orion Platform 2018.2 Hotfix 4 (HF4):

https://support.solarwinds.com/Success_Center/Orion_Platform/Orion_Documentation/Orion_Platform_2018-2_Hotfix_4

Timeline

  • Vulnerability discovered: 19 June 2018
  • SolarWinds informed: 19 June 2018
  • SolarWinds technical team response: 26 June 2018
  • SolarWinds hotfix (2018.2 HF4) released: 02 August 2018
  • Nettitude public disclosure: 02 August 2018