Skip to the content.

DIVD-2021-00017 - SolarWinds N-able N-central agent vulnerabilities

Our reference DIVD-2021-00017
Case lead Victor Gevers
Author Hidde Smit
Researcher(s)
CVE(s)
  • n/a
Product SolarWinds N-able N-central
Versions
  • < 2021.1 HF6 (build 2021.1.6.731)
Recommendation Update SolarWinds N-able N-central to the latest version.
Patch status Multi-tenant vulnerabilities are patched in 2021.1 HF6
Status Closed
Last modified 01 Feb 2022 12:52

Summary

DIVD researchers have identified two vulnerabilities in SolarWinds N-able N-central.

N-able N-central software prior to 2021.HF6 is vulnerable to:

The NCCF numbers are bug identifiers assigned by SolarWinds. See the release notes further information.

Technical details

Authenticated users in a multi-tenant environment can abuse these vulnerabilities.

Agent takeover

Agents, not available to the current user, can be hijacked. Resulting in a malicious actor gaining access to the agent host with SYSTEM level access. No interaction from other tenants is needed, this vulnerability can be exploited by abusing a series of API requests.

Downloading and installing agents from a different tenant

An authenticated user can download agents from different tenants. This causes an information leak regarding the other tenant. The agent management could be disrupted by registering a high number of agents.

What you can do

Update N-able N-central to 2021.HF6 or higher. Check for abuse indicators, if using a multi-tenant environment where the customer is able to login.

What we are doing

The Dutch Institute for Vulnerability Disclosure (DIVD) finds zero-days and reports these directly to the affected vendors.

Timeline

Date Description
05 Jul 2021 Vulnerabilities discovered.
12 Jul 2021 Vendor informed.
12 Jul 2021-
14 Jul 2021
Vendor confirms vulnerability.
14 Jul 2021-
27 Aug 2021
Vendor works on patch
27 Aug 2021 2021.1 HF6 released.
24 Sep 2021 Vendor notified DIVD about the fix.
24 Sep 2021 Case closed.
gantt title DIVD-2021-00017 - SolarWinds N-able N-central agent vulnerabilities dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00017 - SolarWinds N-able N-central agent vulnerabilities (81 days) :2021-07-05, 2021-09-24 section Events Vulnerabilities discovered. : milestone, 2021-07-05, 0d Vendor informed. : milestone, 2021-07-12, 0d Vendor confirms vulnerability. (2 days) : 2021-07-12, 2021-07-14 Vendor works on patch (44 days) : 2021-07-14, 2021-08-27 2021.1 HF6 released. : milestone, 2021-08-27, 0d Vendor notified DIVD about the fix. : milestone, 2021-09-24, 0d Case closed. : milestone, 2021-09-24, 0d