Title: DDIVRT-2015-55 SolarWinds Log and Event Manager Remote Command Execution
Date Discovered: August 15, 2015
Discovered By: Chris Graham @cgrahamseven
SolarWinds Log and Event Manager (LEM) is vulnerable to an Extensible Markup Language (XML) external entity injection through the agent message processing service. This service listens on TCP port 37891. Using a crafted XML message, an attacker can trigger the vulnerability and force the disclosure of arbitrary files on the appliance. This vulnerability can be abused to allow remote execution of arbitrary system commands, which will lead to complete compromise of the LEM appliance and furthermore lead to full control of any connected endpoint agents that may be deployed throughout the enterprise.
A vulnerability mitigation solution for this security issue is not available at this time. End-users can mitigate this flaw by limiting access to affected systems through the use of access controls.
SolarWinds has been made aware of the issue and is actively working to resolve it. Contact SolarWinds Support with any questions at: 866.530.8040, option 3.
Tested Systems / Software:
SolarWinds Log and Event Manager 6.1.0 Virtual Appliance
Vendor Name: SolarWinds
Vendor Website: https://www.SolarWinds.com/siem-security-information-event-management-software.aspx