Solarwinds NPM Orion platform 2018 – vulnerable for stored xss

Network Performance Monitor – Introduction

Network Performance Monitor is a powerful network monitoring software that enables you to quickly detect, diagnose, and resolve network performance problems and outages. NPM uses to identify network elements. During Discovery, NPM scans the network for nodes, and when a node and associated elements are found, you can add them to the SolarWinds database for monitoring.

eSecForte Technologies Security Researcher – Vaibhav Rai found a stored XSS vulnerability in the latest version for SolarWinds NPM (Orion Platform 2018, NPM 12.3, NetPath 1.1.3) and it has been assigned CVE-2019-12954 by the MITRE. SolarWinds Network Performance Monitor (Orion Platform 2018, NPM 12.3, NetPath 1.1.3) allows XSS by authenticated users.

Method of Exploitation

Steps to Reproduce:

Stored XSS

1. Open the solar wind console login with credential then click on ALERT&ACTIVITY and open

NPM

2. Now click on action manager.

Network Performance Monitor

3. Select action name then click on edit action and put the script tag “<video src=1 onerror=alert(esecforte)>” in Name of action Click on save changes

NPM

4. Now select the action alert and Click on TEST.

Network Performance Monitor

5. The script was executed successfully.

Network Performance Monitor

[Disclosure Process]

  1. Reported the Vulnerability to the Vendor Security or PSIRT Team
  2. Acknowledged confirmed from the Vendor that vulnerability exist
  3. CVE has been filed in NVD
  4. Vendor confirm that the vulnerability is fixed or a latest version, patch is released
  5. Vulnerability disclosed to the public

[Reference]                                        

https://www.solarwinds.com/network-performance-monitor

https://owasp.org/www-community/attacks/xss/

https://en.wikipedia.org/wiki/Cross-site_scripting

[Has vendor confirmed or acknowledged the vulnerability?]

Yes                                                                                                                   

[Discoverer]                                                                                                                                                                                 

Vaibhav Rai from eSecForte Technologies Pvt Ltd https://www.esecforte.com/