CVE-2014-9566
published 2015-03-10CVE-2014-9566: Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in…
PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
47.75%
98.7th percentile
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in Network Performance Monitor (NPM) before 11.5, NetFlow Traffic Analyzer (NTA) before 4.1, Network Configuration Manager (NCM) before 7.3.2, IP Address Manager (IPAM) before 4.3, User Device Tracker (UDT) before 3.2, VoIP & Network Quality Manager (VNQM) before 4.2, Server & Application Manager (SAM) before 6.2, Web Performance Monitor (WPM) before 2.2, and possibly other Solarwinds products, allow remote authenticated users to execute arbitrary SQL commands via the (1) dir or (2) sort parameter to the (a) GetAccounts or (b) GetAccountGroups endpoint.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | orion_ip_address_manager | <= 4.2 | — |
| solarwinds | orion_netflow_traffic_analyzer | <= 4.0 | — |
| solarwinds | orion_network_configuration_manager | <= 7.3.1 | — |
| solarwinds | orion_network_performance_monitor | <= 11.4 | — |
| solarwinds | orion_server_and_application_manager | <= 6.1 | — |
| solarwinds | orion_user_device_tracker | <= 3.1 | — |
| solarwinds | orion_voip_network_quality_manager | <= 4.1 | — |
| solarwinds | orion_web_performance_monitor | <= 2.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandsort=Accounts.AccountID&dir=ASC,(SELECT (CASE WHEN (5791=5791) THEN CHAR(65)+CHAR(83)+CHAR(67) ELSE 5791*(SELECT 5791 FROM master..sysdatabases) END))↗
commandsort=(SELECT (CASE WHEN (8998=8998) THEN CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(115)+CHAR(46)+CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(73)+CHAR(68) ELSE 8998*(SELECT 8998 FROM master..sysdatabases) END))&dir=ASC↗
commandASC;insert into accounts values ('notadmin', '127-510823478-74417-8', '/+PA4Zck3arkLA7iwWIugnAEoq4ocRsYjF7lzgQWvJc+pepPz2a5z/L1Pz3c366Y/CasJIa7enKFDPJCWNiKRg==', 'Feb 1 2100 12:00AM', 'Y', 'notadmin', 1, '', '', 1, -1, 8, -1, 4, 0, 0, 0, 0, 0, 0, 'Y', 'Y', 'Y', 'Y', 'Y', '', '', 0, 0, 0, 'N', 'Y', '', 1, '', 0, '');↗
- →Monitor HTTP GET requests to /AccountManagement.asmx targeting the GetAccounts or GetAccountGroups endpoints for SQL metacharacters (semicolons, WAITFOR, CASE/WHEN, CHAR()) in the 'sort' or 'dir' query parameters. ↗
- →Alert on requests to AccountManagement.asmx authenticated with the Guest account (especially with a blank password), as the lack of ACL enforcement allows Guest-level exploitation of admin endpoints. ↗
- →Detect stacked SQL injection attempts using WAITFOR DELAY patterns in HTTP query parameters targeting SolarWinds Orion web services. ↗
- →Detect unauthorized INSERT INTO accounts SQL statements in database logs or WAF logs, particularly inserting new users with admin privileges and blank passwords. ↗
- →Look for the Metasploit auxiliary module solarwinds_orion_sqli being used against the environment; it targets the GetAccounts endpoint for admin account creation via stacked SQL injection. ↗
- ·The SQL user used by the Orion application is not a database administrator and xp_cmdshell is unavailable, limiting post-exploitation OS-level command execution via this vector. ↗
- ·Trial installations deploy a local SQL Server Express instance; non-trial versions may use a remote SQL server, which could affect exploitation scope and lateral movement potential. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9cx9-3r2j-m5xx: Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement
ghsa_unreviewed·2022-05-17
CVE-2014-9566 [HIGH] CWE-89 GHSA-9cx9-3r2j-m5xx: Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in Network Performance Monitor (NPM) before 11.5, NetFlow Traffic Analyzer (NTA) before 4.1, Network Configuration Manager (NCM) before 7.3.2, IP Address Manager (IPAM) before 4.3, User Device Tracker (UDT) before 3.2, VoIP & Network Quality Manager (VNQM) before 4.2, Server & Application Manager (SAM) before 6.2, Web Performance Monitor (WPM) before 2.2, and possibly other Solarwinds products, allow remote authenticated users to execute arbitrary SQL commands via the (1) dir or (2) sort parameter to the (a) GetAccounts or (b) GetAccountGroups endpoint.
OSV
nagios3 vulnerabilities
osv·2017-04-03·CVSS 5.5
CVE-2013-7108 nagios3 vulnerabilities
nagios3 vulnerabilities
It was discovered that Nagios incorrectly handled certain long strings. A
remote authenticated attacker could use this issue to cause Nagios to
crash, resulting in a denial of service, or possibly obtain sensitive
information. (CVE-2013-7108, CVE-2013-7205)
It was discovered that Nagios incorrectly handled certain long messages to
cmd.cgi. A remote attacker could possibly use this issue to cause Nagios to
crash, resulting in a denial of service. (CVE-2014-1878)
Dawid Golunski discovered that Nagios incorrectly handled symlinks when
accessing log files. A local attacker could possibly use this issue to
elevate privileges. In the default installation of Ubuntu, this should be
prevented by the Yama link restrictions. (CVE-2016-9566)
No detection rules found.
Exploit-DB
SolarWinds Orion Service - SQL Injection
exploitdb·2015-03-04
CVE-2014-9566 SolarWinds Orion Service - SQL Injection
SolarWinds Orion Service - SQL Injection
---
I found a couple SQL injection vulnerabilities in the core Orion service
used in most of the Solarwinds products (SAM, IPAM, NPM, NCM, etc…). This
service provides a consistent configuration and authentication layer across
the products.
To be exact, the vulnerable applications and versions are:
Network Performance Monitor -- < 11.5
NetFlow Traffic Analyzer -- < 4.1
Network Configuration Manager -- < 7.3.2
IP Address Manager -- < 4.3
User Device Tracker -- < 3.2
VoIP & Network Quality Manager -- < 4.2
Server & Application Monitor -- < 6.2
Web Performance Monitor -- < 2.2
At first glance, the injections are only available to admins, as the
requests used are on the Manage Accounts page. However, it seems there is
no real ACL check on the GetAc
Metasploit
Solarwinds Orion AccountManagement.asmx GetAccounts Admin Creation
metasploit
Solarwinds Orion AccountManagement.asmx GetAccounts Admin Creation
Solarwinds Orion AccountManagement.asmx GetAccounts Admin Creation
This module exploits a stacked SQL injection in order to add an administrator user to the SolarWinds Orion database.
No writeups or analysis indexed.
http://osvdb.org/show/osvdb/118746http://packetstormsecurity.com/files/130637/Solarwinds-Orion-Service-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Mar/18http://volatile-minds.blogspot.com/2015/02/authenticated-stacked-sql-injection-in.htmlhttp://www.exploit-db.com/exploits/36262http://www.solarwinds.com/documentation/orion/docs/releasenotes/releasenotes.htmhttps://github.com/rapid7/metasploit-framework/pull/4836http://osvdb.org/show/osvdb/118746http://packetstormsecurity.com/files/130637/Solarwinds-Orion-Service-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Mar/18http://volatile-minds.blogspot.com/2015/02/authenticated-stacked-sql-injection-in.htmlhttp://www.exploit-db.com/exploits/36262http://www.solarwinds.com/documentation/orion/docs/releasenotes/releasenotes.htmhttps://github.com/rapid7/metasploit-framework/pull/4836
2015-03-10
Published