DIVD-2021-00017 - SolarWinds N-able N-central agent vulnerabilities
|Case lead||Victor Gevers|
|Product||SolarWinds N-able N-central|
|Recommendation||Update SolarWinds N-able N-central to the latest version.|
|Patch status||Multi-tenant vulnerabilities are patched in 2021.1 HF6|
|Last modified||01 Feb 2022 12:52|
DIVD researchers have identified two vulnerabilities in SolarWinds N-able N-central.
N-able N-central software prior to 2021.HF6 is vulnerable to:
- Agent takeover in a multi-tenant environment (NCCF-16663)
- Downloading and installing agents in a multi-tenant environment (NCCF-16662)
The NCCF numbers are bug identifiers assigned by SolarWinds. See the release notes further information.
Authenticated users in a multi-tenant environment can abuse these vulnerabilities.
Agents, not available to the current user, can be hijacked. Resulting in a malicious actor gaining access to the agent host with SYSTEM level access. No interaction from other tenants is needed, this vulnerability can be exploited by abusing a series of API requests.
Downloading and installing agents from a different tenant
An authenticated user can download agents from different tenants. This causes an information leak regarding the other tenant. The agent management could be disrupted by registering a high number of agents.
What you can do
Update N-able N-central to 2021.HF6 or higher. Check for abuse indicators, if using a multi-tenant environment where the customer is able to login.
What we are doing
The Dutch Institute for Vulnerability Disclosure (DIVD) finds zero-days and reports these directly to the affected vendors.
|05 Jul 2021||Vulnerabilities discovered.|
|12 Jul 2021||Vendor informed.|
12 Jul 2021-
14 Jul 2021
|Vendor confirms vulnerability.|
14 Jul 2021-
27 Aug 2021
|Vendor works on patch|
|27 Aug 2021||2021.1 HF6 released.|
|24 Sep 2021||Vendor notified DIVD about the fix.|
|24 Sep 2021||Case closed.|