Skip to the content.

DIVD-2021-00017 – SolarWinds N-able N-central agent vulnerabilities

Our reference DIVD-2021-00017
Case lead Victor Gevers
Author Hidde Smit
Researcher(s)
CVE(s)
  • n/a
Product SolarWinds N-able N-central
Versions
  • < 2021.1 HF6 (build 2021.1.6.731)
Recommendation Update SolarWinds N-able N-central to the latest version.
Patch status Multi-tenant vulnerabilities are patched in 2021.1 HF6
Status Closed

Summary

DIVD researchers have identified two vulnerabilities in SolarWinds N-able N-central.

N-able N-central software prior to 2021.HF6 is vulnerable to:

The NCCF numbers are bug identifiers assigned by SolarWinds. See the release notes further information.

Technical details

Authenticated users in a multi-tenant environment can abuse these vulnerabilities.

Agent takeover

Agents, not available to the current user, can be hijacked. Resulting in a malicious actor gaining access to the agent host with SYSTEM level access. No interaction from other tenants is needed, this vulnerability can be exploited by abusing a series of API requests.

Downloading and installing agents from a different tenant

An authenticated user can download agents from different tenants. This causes an information leak regarding the other tenant. The agent management could be disrupted by registering a high number of agents.

What you can do

Update N-able N-central to 2021.HF6 or higher. Check for abuse indicators, if using a multi-tenant environment where the customer is able to login.

What we are doing

The Dutch Institute for Vulnerability Disclosure (DIVD) finds zero-days and reports these directly to the affected vendors.

Timeline

Date Description
05 July 2021 Vulnerabilities discovered.
12 July 2021 Vendor informed.
14 July 2021 Vendor confirmed vulnerability.
27 August 2021 2021.1 HF6 released.
24 September 2021 Vendor notified DIVD about the fix.