Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-35244: Secure Configuration for the Orion Platform

The “Log alert to a file” action within action management enables any Orion Platform user with Orion alert management rights to write to any file. An attacker with Orion alert management rights could use this vulnerability to perform an unrestricted file upload causing a remote code execution.

CVE
Open in Source
#sql#csrf#vulnerability#web#mac#windows#microsoft

This document describes configuration options for securing your Orion Platform deployment.

Best practices

  • Ensure you have installed the latest versions of the SolarWinds® Orion® Platform, including hotfixes and service releases.

    If you are not on the latest version of the Orion Platform, you can temporarily protect your environment against the Supernova malware by applying the following security fix: https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip

  • Maintain the latest host operating system, application, and network security updates.

  • Maintain your SQL Server by applying the latest cumulative updates and service packs.

  • Keep your Orion Platform and your SQL database on separate servers.

    SolarWinds recommends that you use a dedicated SQL instance for your Orion database to improve security by segregating the Orion database from other production databases.

  • Be careful not to expose your Orion Platform website on the public Internet.

    If you must enable outbound Internet access from SolarWinds Servers, create a strict allow list and block all other traffic. See Orion Platform Product Features Affected by Internet Access.

  • Disable unnecessary ports, protocols, and services on your host operating system and on applications, like SQL Server. For more details, see the SolarWinds Port Requirements guide and Best practices for configuring Windows Defender Firewall (© 2021 Microsoft, available at https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/best-practices-configuring, obtained on January 13, 2021.)

  • Apply proper segmentation controls on the network where you have deployed the SolarWinds Orion Platform and SQL Server instances.

  • Implement strict access control and auditing in your environment at operating system and network layers. Limit access to the Orion and SQL server instances to only those authorized persons who require access as part of their duties.

  • Apply layered network security controls, like leveraging application load balancers, setting appropriate firewall rules to limit who can access or send network traffic to your Orion Platform, and deploying security tools to provide additional monitoring across your Orion Platform and SQL Server instances.

  • Purchase additional web servers for segregation and accessing the web console. Unlike your primary polling engine, these do not run many critical services. Once setup, you can disable IIS and web services on your primary polling engine and allow the rest of the services to function independently of IIS.

  • If you deploy multiple Orion servers in your environment, dedicate these servers where possible and minimize the installation of any third-party software.

  • Do not create local Orion-based accounts. We recommend at minimum utilizing Windows Authentication, or implementing a SAML v2 based solution, if you cannot integrate Windows or SAML-based authentication.

  • Ensure you configure account settings and leverage both account and view limitations, along with module-specific roles only for the tasks they require in their role.

  • Follow Microsoft’s guidelines for securing SQL Server instances. See Securing SQL Server (© 2021 Microsoft, available at https://docs.microsoft.com/, obtained on January 6, 2021.).

  • Before you install the Orion Platform, ensure the servers in your environment are compliant with supported security standards:

    • STIG
    • FIPS
    • Device Guard

  • Separate your Orion Platform servers from your infrastructure on managed VLANs/Jumpboxes.

  • On servers, leverage SolarWinds agents to ensure secure, encrypted polling over a single port. See Poll devices with SolarWinds Orion agents.

  • On network devices, use SNMP v3. See CISA Alert (TA17-156A) Reducing the risk of SNMP Abuse (© 2021 U.S. Department of Homeland Security, available at https://us-cert.cisa.gov/ncas/alerts/TA17-156A, obtained on January 11, 2021.)

  • Ensure you have dedicated security monitoring tools in place. Configure AV, EDR, SIEM, Proxy, IDS, or IPS while leveraging SolarWinds products, such as ARM, NCM, Patch Manager, SCM, SEM, or UDT, to provide additional monitoring across your Orion Platform environment and ensure compliance. Carefully monitor logs, user accounts, rogue devices, configuration changes, and security patches across all of your network devices and servers.

  • Rotate credentials (service accounts, SNMP, SSH, and so on) where local policies may not enforce this due to unexpected outages of monitoring. See Manage Orion Service Accounts.

  • Assign the Debug Programs user right only to the Administrators group.

To learn about using built-in security features native to IIS to add an extra layer of security to your deployment with built-in security features native to IIS, see this Success Center article about the IP Address and Domain Restrictions Role Service.

Secure configuration options

Security option

Version

Default settings

HTTPS

2017.1 and later

Enabled by default if a suitable certificate is found. » Show me how

Recommendations:

  • 2048 bits for RSA (~112bit security) or 256+ bits for ECDSA (128bit security).
  • Over 2048bits, use ECDSA.
  • Renew certificates regularly.
  • Sign certificates with SHA 256 or higher.

FIPS

All versions

Disabled by default

See Enable FIPS for Orion Platform products.

SQL Encrypted SSL

2017 and later

Disabled by default. To configure the Orion Platform and SQL with an SSL connection, see Encrypt database connections with SSL

HSTS

2018.4 and later

Disabled by default
» Show me how to enable this

CSRF

2018.4 and later

_AntiXSRFToken enabled by default

XSRF-TOKEN enabled by default

» Show me how to enable this

Secure Cookies

2018.4 and later

Enabled by default » Show me how

Session Management

2020.2 and later

Enabled by default » Show me how

TLS & Cipher Suites

2019.4 and later

Settings required » Show me how

TLS Certificate validation

2019.2 and later

Disabled by default » Show me how to enable

SAML signing

2018.4 and later

Disabled by default » Show me how to enable this

Sensitive Exception Details

2019.2 and later

Disabled by default » Show me how to disable this

Server Information Headers (Banner)

2020.2 and later

» Show me how to set this

IIS Request Filtering

2020.2 and later

See the kb on IIS handler mapping requirements to find out what extensions to allow to use request filtering in IIS.

Session Timeouts

All versions

» Show me how to set this

Secure external programs and script alerting actions

2020.2.1 HF2

Starting with the Orion Platform 2020.2.1 Hotfix 2, you can configure your Orion Platform alert actions to be run in the context of a limited user account. See the article on securing external programs and script actions.

Secure SQL variables used in Orion Platform

2020.2.1 HF2

Starting with the Orion Platform 2020.2.1 Hotfix 2, you can use the MacroParserisSecuringSQLMacroEnabled setting to improve the overall security of your Orion Platform by restricting specific SQL macros. See the article on securing SQL variables.

Browser Auto-Complete

2020.2.6 and later

» Show me how to set this

Brute force protection (account lockout)

2020.2.6 and later

Orion individual accounts (or SQL-based accounts) are automatically locked. By default, accounts are locked after 10 failed login attempts for 15 minutes. See Unlock user accounts for details.

HTTPS

Supported by: Orion Platform 2017.1 and later

HTTPS is configured on fresh installs only when a suitable certificate is found on the system. SolarWinds recommends that you do not use a self-signed certificate.

Recommendations for Certificates

  • SolarWinds recommends using strong private keys: 2,048 bits for RSA (~112 bits of security) or 256+ bits for ECDSA (128 bits fo security).
  • RSA doesn’t scale well above 2,048 so after that ECDSA should be preferred.
  • Renew certificates (including private keys) regularly because revocation mechanisms are not reliable.
  • Sign your certificates with SHA256 or higher.

How to enable

  1. Run the Configuration wizard, click Next to use defaults until you reach the Website Settings step.

  2. Select the Enable HTTPS option. See Configure the Orion Web Console to use HTTPS for details.

HSTS

Supported by: Orion Platform 2018.4 and later

HTTPS Strict Transport Security (HSTS) protects your deployment against protocol downgrade attacks (MITM SSL strip). HSTS headers instruct a client’s browser to communicate only on HTTPS for a specified period of time. Orion uses 1 year as a default.

How to enable

  1. In the Orion Web Console, click Settings > All Settings, and then click Web Console Settings in the Product Specific Settings (/Orion/Admin/Settings.aspx).

  2. Select the STRICT TRANSPORT SECURITY (HSTS) option and submit your changes.

CSRF Protection

Supported by:

  • Orion Platform 2018.4 -2019.4 (not by default)
  • Orion Platform 2020.2 and later (supported by default)

Cross-Site Request Forgery (CSRF) is an attack where the user performs unwanted action while being authorized. Orion uses two separate CSRF tokens/cookies.

  • __AntiXSRFToken - Used by ASP.NET for postback validation, validation enabled by default
  • XSRF-TOKEN - Used by .asmx and WebAPI, validation enabled by default

How to enable

  1. Log in to the Orion Web Console as an administrator and go to Advanced Configuration. Adjust the Orion Web Console URL as follows: [hostname]/Orion/Admin/advancedconfiguration/global.aspx

  2. Select the EnableXsrfProtection option and save your changes.

Secure Cookies

Supported by: Orion Platform 2018.4 and later

Secure flag helps to protect cookies from MITM attacks. This is enabled by default.

How to enable

  1. Log in to the Orion Web Console as an administrator and go to Advanced Configuration. Adjust the Orion Web Console URL as follows: [hostname]/Orion/Admin/advancedconfiguration/global.aspx

  2. Select the EnableCookieSecureFlag option and save your changes.

Session Management

Supported by: Orion Platform 2020.2 and later (enabled by default)

To prevent session fixation attacks and provide persistent logout. Session management binds the session ID with its owner and validates it on each request. It manages the session lifecycle from login, logout, and expiration.

How to enable

  1. Log in to the Orion Web Console as an administrator and go to Advanced Configuration. Adjust the Orion Web Console URL as follows: [hostname]/Orion/Admin/advancedconfiguration/global.aspx
  2. Select the EnableSessionCoupling option and save your changes.

TLS & Cipher Suites

Supported by: Orion Platform 2019.4 and later

See TLS Compatibility with Orion Platform products for details.

How to enable

SolarWinds recommends that you enable TLS machine-wide. You can use IISCrypto or alter Windows registry keys on your own:

  • IIS Crypto (© 2020 Nartac Software, obtained from https://www.nartac.com/Products/IISCrypto on October 1, 2020).
  • Restrict the use of certain cryptographic algorithms and protocols in Schannel.dll (© 2020 Microsoft, obtained from https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc on October 1, 2020).

It is also possible to configure protocols for Orion services only.

RabbitMQ

You can configure all cipher suites that RabbitMQ accepts (and which TLS version) in \ProgramData\SolarWinds\Orion\RabbitMQ\rabbitmq.config configuration file.

Go to the ssl_options section and find the following subsections:

  • _ciphers: You can set cipher suites that RabbitMQ accepts, these should correspond with your system-wide settings (set by IIS Crypto).
  • _versions: You can specify TLS versions here.

See TLS Support for details (© 2007-2020 VMware Inc. or its affiliates, obtained from https://www.rabbitmq.com/ssl.html#tls-versions on October 1, 2020).

SolarWinds uses the classic config format of the config file (there is section on how the setting of cipher suites must look like).

Recommended Crypto setting

Global machine setting: NON DEFAULT

Server/Client Protocol: TLS 1.2

Ciphers: AES 128 / 128, AES 256/256

Hashes: SHA1, SHA256, SHA384, SHA512

Key exchanges: Diffie-Hellman, PKCS, ECDH (DHE Miminum key length 2048 bit)

RabbitMQ Config: DEFAULT

RabbitMQ config has two default cipher suites settings which are configured by FIPS Manager:

  • FIPS Mode On Ciphers

    {dhe_rsa,aes_256_gcm,aead,sha384}

    {dhe_dss,aes_256_gcm,aead,sha384}

    {dhe_rsa,aes_256_cbc,sha256}

    {dhe_dss,aes_256_cbc,sha256}

    {dhe_rsa,aes_128_gcm,aead,sha256}

    {dhe_dss,aes_128_gcm,aead,sha256}

    {dhe_rsa,aes_128_cbc,sha256}

    {dhe_dss,aes_128_cbc,sha256}

  • FIPS Mode Off Ciphers

    {ecdhe_rsa, aes_256_gcm, aead, sha384}

    {ecdhe_ecdsa, aes_256_gcm, aead, sha384}

    {ecdhe_rsa, aes_256_cbc, sha384, sha384}

    {ecdhe_ecdsa, aes_256_cbc, sha384, sha384}

    {ecdhe_rsa, aes_128_gcm, aead, sha256}

    {ecdhe_ecdsa, aes_128_gcm, aead, sha256}

    {ecdhe_rsa, aes_128_cbc, sha256, sha256}

    {ecdhe_ecdsa, aes_128_cbc, sha256, sha256}

    {ecdh_rsa, aes_256_gcm, aead, sha384}

    {ecdh_ecdsa, aes_256_gcm, aead, sha384}

    {ecdh_rsa, aes_256_cbc, sha384, sha384}

    {ecdh_ecdsa, aes_256_cbc, sha384, sha384}

    {ecdh_rsa, aes_128_gcm, aead, sha256}

    {ecdh_ecdsa, aes_128_gcm, aead, sha256}

    {ecdh_rsa, aes_128_cbc, sha256, sha256}

    {ecdh_ecdsa, aes_128_cbc, sha256, sha256}

    {dhe_rsa, aes_256_gcm, aead, sha384}

    {dhe_dss, aes_256_gcm, aead, sha384}

    {dhe_rsa, aes_256_cbc, sha256}

    {dhe_dss, aes_256_cbc, sha256}

    {dhe_rsa, aes_128_gcm, aead, sha256}

    {dhe_dss, aes_128_gcm, aead, sha256}

    {dhe_rsa, aes_128_cbc, sha256}

    {dhe_dss, aes_128_cbc, sha256}

TLS Certificate Validation

Supported by: Orion Platform 2019.2 and later

As required by CC PP, TLS certificates should be fully validated.

How to enable

  1. Log in to the Orion Web Console as an administrator and go to Advanced Configuration. Adjust the Orion Web Console URL as follows: [hostname]/Orion/Admin/advancedconfiguration/global.aspx)

  2. Select the following options and save your changes:

    • CheckOnCertificateChainErrors
    • CheckOnCertificateNameMismatch
    • CheckOnCertificateRevocation

SAML Signing

Supported by: Orion Platform 2018.4 and later (not by default)

Applicable when Single sign-on is used. By default, only one signature is required and validated (assertion or SAML response).

You can configure the Orion Platform to require a specific validation or both validations.

See Authenticate Orion Platform users with SAML v2 for configuration details.

How to enable

  1. Log in to the Orion Web Console as an administrator and go to Advanced Configuration. Adjust the Orion Web Console URL as follows: [hostname]/Orion/Admin/advancedconfiguration/global.aspx)

  2. Select the following options and save your changes:

    • SamlAssertionSigningRequired
    • SamlResponseSigningRequired

Sensitive Exception Details

Supported by: Orion Platform 2019.2 and later (disabled by default)

By default, only users with Administrator rights can see detailed exceptions. This setting protects you from disclosing sensitive information (variable names, SQL strings, system path information, and source/program code or call stacks) to Orion users.

How to disable

  1. Log in to the Orion Web Console as an administrator and go to Advanced Configuration. Adjust the Orion Web Console URL as follows: [hostname]/Orion/Admin/advancedconfiguration/global.aspx

  2. Clear the IncludeErrorDetail option and save your changes.

Server Information Headers (Banner)

Supported by: Orion Platform 2020.2 or later

Not to disclose server information in headers (Server - Specifies the webserver version. X-Powered-By - Indicates that the website is “powered by ASP.NET.” X-AspNet-Version - Specifies the version of ASP.NET used), apply additional configuration on IIS.

How to configure

See Disable the IIS web banner and other IIS headers in the Orion Platform for details.

Session Timeouts

You can configure your Orion Platform sessions to time out after a shorter time than the default 25 minutes.

  1. Log in to the Orion Web Console as an administrator and click Settings > All Settings in the menu bar.

  2. In the Product Specific Settings grouping, click Web Console Settings.

  3. In Session Timeout, type a shorter time period than the default, and save your changes. The default is 25 minutes.

Browser Auto-Complete

Supported by 2020.2.6 and later

Browser auto-complete can store sensitive data and can be disabled by setting correct attribute to input html element. Browser auto-complete is now disabled on Login page and some admin pages.

How to enable/disable

  1. Connect to Orion database and update the WebSettings table.

  2. SET ‘UseBrowserAutoComplete’ to 'True’/’False’.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE