DIVD-2021-00017 - SolarWinds N-able N-central agent vulnerabilities

Summary

DIVD researchers have identified two vulnerabilities in SolarWinds N-able N-central.

N-able N-central software prior to 2021.HF6 is vulnerable to:

• Agent takeover in a multi-tenant environment (NCCF-16663)
• Downloading and installing agents in a multi-tenant environment (NCCF-16662)

The NCCF numbers are bug identifiers assigned by SolarWinds. See the release notes further information.

Technical details

Authenticated users in a multi-tenant environment can abuse these vulnerabilities.

Agent takeover

Agents, not available to the current user, can be hijacked. Resulting in a malicious actor gaining access to the agent host with SYSTEM level access. No interaction from other tenants is needed, this vulnerability can be exploited by abusing a series of API requests.

Downloading and installing agents from a different tenant

An authenticated user can download agents from different tenants. This causes an information leak regarding the other tenant. The agent management could be disrupted by registering a high number of agents.

What you can do

Update N-able N-central to 2021.HF6 or higher. Check for abuse indicators, if using a multi-tenant environment where the customer is able to login.

What we are doing

The Dutch Institute for Vulnerability Disclosure (DIVD) finds zero-days and reports these directly to the affected vendors.

Timeline