5. EVERYONE LIKES CREDENTIALS!
• VMWare ESX creds
• SNMPv3 creds
• Windows creds
• Orion creds
Asset management is what
Orion does, it needs creds to
do this to be more effective
than Nmap, no surprises
here
10. HOW DOES IT ENCRYPT THESE THINGS?
MAYBE IN THE SECURITY.DLL?
11.
12. REVERSE ENGINEER ADDED TO MY
RESUME... #SHABOWWOW.
This slide is for all the exploit devs
and reverse engineers who think
they can pentest because they can
spin up Metasploit and generate
shellcode.
Much love <3 <3
20. FINDING #1 – REALITY CHECK
•You have to be SYSTEM on the Orion
box to export this key.
•Certificate doesn’t seem to ever
change. Get it once you have it forever.
•It is created per-install.
31. FINDING #2 – EASILY REVERSIBLE
“ENCRYPTED” PASSWORD STORED
• Does a lot of bit flipping and changing the password around to
obfuscate it. I didn’t recognize the function as anything type of
encoding I’ve seen before
• Doesn’t use system data, the certificate, or any type of
encryption, more like encoding than encryption.
• Disabled if FIPS compliance enabled but doesn’t force a
password change.
• FIPS compliance can break things, especially in older
applications. Test before enabling.
37. FINDING #3 – CLEAR TEXT AND OLD
CONFIGURATIONS KEPT IN TEXT FILE
• No screenshot for proof that old configurations stick around
but I have seen it, just haven’t had a chance to reproduce on
lab box.
• Old configurations may have database password in clear text.
This was also observed but no screenshot available.
• Encrypted credential uses the same certificate to encrypt as
the other account passwords. SolarWinds responded saying
it’s using DPAPI instead… Haven’t had a chance to confirm
either way.
38. RESULTS
Y O U A R E G O I N G T O T E L L U S H O W T O
F I X T H I S R I G H T ?
39. RESULTS / FIXES
1. Exportable RSA encryption key certificate
1. Mark certificate as non-exportable. This may break things.
2. Storage of creds in easily reversible format (Basically
LM reinvented)
1. Enable FIPS compliance if you can
2. Change passwords once this is done to ensure fix is
effective.
3. Cleartext credentials in configuration file
(SWNetPerfMon.DB)
1. Clear out ”old” connection strings
40. RESULTS / FIXES
Generic Solution:
• Ensure Orion server is protected as much as
possible.
• No access from standard user network, block
SMB/WMI/WinRM.
• Require RDP w/ Smartcard for administration).
• Restrict access to the HTTP/S ports as much as
possible.
41. OVERALL RATING: A-
• Really impressed with SolarWinds usage of certificate
encryption for the encryption of passwords. It’s much better
than most implementations I’ve seen.
• Impressed with SolarWinds reaching out about the talk and
being cordial and understanding about how slow/busy I am in
responding to emails.
• Would definitely work with the SolarWinds team again.
• One request: I didn’t see the ability to use U2F/MFA on the
web interface, it would be nice if that was available.
Honestly I’m not sure if this is required by Orion or not. This may be needed for it’s agents, clustering or other infrastructure pieces. While this isn’t good, to be able to