Headline
CVE-2021-35244: Secure Configuration for the Orion Platform
The “Log alert to a file” action within action management enables any Orion Platform user with Orion alert management rights to write to any file. An attacker with Orion alert management rights could use this vulnerability to perform an unrestricted file upload causing a remote code execution.
This document describes configuration options for securing your Orion Platform deployment.
Best practices
Ensure you have installed the latest versions of the SolarWinds® Orion® Platform, including hotfixes and service releases.
If you are not on the latest version of the Orion Platform, you can temporarily protect your environment against the Supernova malware by applying the following security fix: https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip
Maintain the latest host operating system, application, and network security updates.
Maintain your SQL Server by applying the latest cumulative updates and service packs.
Keep your Orion Platform and your SQL database on separate servers.
SolarWinds recommends that you use a dedicated SQL instance for your Orion database to improve security by segregating the Orion database from other production databases.
Be careful not to expose your Orion Platform website on the public Internet.
If you must enable outbound Internet access from SolarWinds Servers, create a strict allow list and block all other traffic. See Orion Platform Product Features Affected by Internet Access.
Disable unnecessary ports, protocols, and services on your host operating system and on applications, like SQL Server. For more details, see the SolarWinds Port Requirements guide and Best practices for configuring Windows Defender Firewall (© 2021 Microsoft, available at https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/best-practices-configuring, obtained on January 13, 2021.)
Apply proper segmentation controls on the network where you have deployed the SolarWinds Orion Platform and SQL Server instances.
Implement strict access control and auditing in your environment at operating system and network layers. Limit access to the Orion and SQL server instances to only those authorized persons who require access as part of their duties.
Apply layered network security controls, like leveraging application load balancers, setting appropriate firewall rules to limit who can access or send network traffic to your Orion Platform, and deploying security tools to provide additional monitoring across your Orion Platform and SQL Server instances.
Purchase additional web servers for segregation and accessing the web console. Unlike your primary polling engine, these do not run many critical services. Once setup, you can disable IIS and web services on your primary polling engine and allow the rest of the services to function independently of IIS.
If you deploy multiple Orion servers in your environment, dedicate these servers where possible and minimize the installation of any third-party software.
Do not create local Orion-based accounts. We recommend at minimum utilizing Windows Authentication, or implementing a SAML v2 based solution, if you cannot integrate Windows or SAML-based authentication.
Ensure you configure account settings and leverage both account and view limitations, along with module-specific roles only for the tasks they require in their role.
Follow Microsoft’s guidelines for securing SQL Server instances. See Securing SQL Server (© 2021 Microsoft, available at https://docs.microsoft.com/, obtained on January 6, 2021.).
Before you install the Orion Platform, ensure the servers in your environment are compliant with supported security standards:
- STIG
- FIPS
- Device Guard
Separate your Orion Platform servers from your infrastructure on managed VLANs/Jumpboxes.
On servers, leverage SolarWinds agents to ensure secure, encrypted polling over a single port. See Poll devices with SolarWinds Orion agents.
On network devices, use SNMP v3. See CISA Alert (TA17-156A) Reducing the risk of SNMP Abuse (© 2021 U.S. Department of Homeland Security, available at https://us-cert.cisa.gov/ncas/alerts/TA17-156A, obtained on January 11, 2021.)
Ensure you have dedicated security monitoring tools in place. Configure AV, EDR, SIEM, Proxy, IDS, or IPS while leveraging SolarWinds products, such as ARM, NCM, Patch Manager, SCM, SEM, or UDT, to provide additional monitoring across your Orion Platform environment and ensure compliance. Carefully monitor logs, user accounts, rogue devices, configuration changes, and security patches across all of your network devices and servers.
Rotate credentials (service accounts, SNMP, SSH, and so on) where local policies may not enforce this due to unexpected outages of monitoring. See Manage Orion Service Accounts.
Assign the Debug Programs user right only to the Administrators group.
To learn about using built-in security features native to IIS to add an extra layer of security to your deployment with built-in security features native to IIS, see this Success Center article about the IP Address and Domain Restrictions Role Service.
Secure configuration options
Security option
Version
Default settings
HTTPS
2017.1 and later
Enabled by default if a suitable certificate is found. » Show me how
Recommendations:
- 2048 bits for RSA (~112bit security) or 256+ bits for ECDSA (128bit security).
- Over 2048bits, use ECDSA.
- Renew certificates regularly.
- Sign certificates with SHA 256 or higher.
FIPS
All versions
Disabled by default
See Enable FIPS for Orion Platform products.
SQL Encrypted SSL
2017 and later
Disabled by default. To configure the Orion Platform and SQL with an SSL connection, see Encrypt database connections with SSL
HSTS
2018.4 and later
Disabled by default
» Show me how to enable this
CSRF
2018.4 and later
_AntiXSRFToken enabled by default
XSRF-TOKEN enabled by default
» Show me how to enable this
Secure Cookies
2018.4 and later
Enabled by default » Show me how
Session Management
2020.2 and later
Enabled by default » Show me how
TLS & Cipher Suites
2019.4 and later
Settings required » Show me how
TLS Certificate validation
2019.2 and later
Disabled by default » Show me how to enable
SAML signing
2018.4 and later
Disabled by default » Show me how to enable this
Sensitive Exception Details
2019.2 and later
Disabled by default » Show me how to disable this
Server Information Headers (Banner)
2020.2 and later
» Show me how to set this
IIS Request Filtering
2020.2 and later
See the kb on IIS handler mapping requirements to find out what extensions to allow to use request filtering in IIS.
Session Timeouts
All versions
» Show me how to set this
Secure external programs and script alerting actions
2020.2.1 HF2
Starting with the Orion Platform 2020.2.1 Hotfix 2, you can configure your Orion Platform alert actions to be run in the context of a limited user account. See the article on securing external programs and script actions.
Secure SQL variables used in Orion Platform
2020.2.1 HF2
Starting with the Orion Platform 2020.2.1 Hotfix 2, you can use the MacroParserisSecuringSQLMacroEnabled setting to improve the overall security of your Orion Platform by restricting specific SQL macros. See the article on securing SQL variables.
Browser Auto-Complete
2020.2.6 and later
» Show me how to set this
Brute force protection (account lockout)
2020.2.6 and later
Orion individual accounts (or SQL-based accounts) are automatically locked. By default, accounts are locked after 10 failed login attempts for 15 minutes. See Unlock user accounts for details.
HTTPS
Supported by: Orion Platform 2017.1 and later
HTTPS is configured on fresh installs only when a suitable certificate is found on the system. SolarWinds recommends that you do not use a self-signed certificate.
Recommendations for Certificates
- SolarWinds recommends using strong private keys: 2,048 bits for RSA (~112 bits of security) or 256+ bits for ECDSA (128 bits fo security).
- RSA doesn’t scale well above 2,048 so after that ECDSA should be preferred.
- Renew certificates (including private keys) regularly because revocation mechanisms are not reliable.
- Sign your certificates with SHA256 or higher.
How to enable
Run the Configuration wizard, click Next to use defaults until you reach the Website Settings step.
Select the Enable HTTPS option. See Configure the Orion Web Console to use HTTPS for details.
HSTS
Supported by: Orion Platform 2018.4 and later
HTTPS Strict Transport Security (HSTS) protects your deployment against protocol downgrade attacks (MITM SSL strip). HSTS headers instruct a client’s browser to communicate only on HTTPS for a specified period of time. Orion uses 1 year as a default.
How to enable
In the Orion Web Console, click Settings > All Settings, and then click Web Console Settings in the Product Specific Settings (/Orion/Admin/Settings.aspx).
Select the STRICT TRANSPORT SECURITY (HSTS) option and submit your changes.
CSRF Protection
Supported by:
- Orion Platform 2018.4 -2019.4 (not by default)
- Orion Platform 2020.2 and later (supported by default)
Cross-Site Request Forgery (CSRF) is an attack where the user performs unwanted action while being authorized. Orion uses two separate CSRF tokens/cookies.
- __AntiXSRFToken - Used by ASP.NET for postback validation, validation enabled by default
- XSRF-TOKEN - Used by .asmx and WebAPI, validation enabled by default
How to enable
Log in to the Orion Web Console as an administrator and go to Advanced Configuration. Adjust the Orion Web Console URL as follows: [hostname]/Orion/Admin/advancedconfiguration/global.aspx
Select the EnableXsrfProtection option and save your changes.
Secure Cookies
Supported by: Orion Platform 2018.4 and later
Secure flag helps to protect cookies from MITM attacks. This is enabled by default.
How to enable
Log in to the Orion Web Console as an administrator and go to Advanced Configuration. Adjust the Orion Web Console URL as follows: [hostname]/Orion/Admin/advancedconfiguration/global.aspx
Select the EnableCookieSecureFlag option and save your changes.
Session Management
Supported by: Orion Platform 2020.2 and later (enabled by default)
To prevent session fixation attacks and provide persistent logout. Session management binds the session ID with its owner and validates it on each request. It manages the session lifecycle from login, logout, and expiration.
How to enable
- Log in to the Orion Web Console as an administrator and go to Advanced Configuration. Adjust the Orion Web Console URL as follows: [hostname]/Orion/Admin/advancedconfiguration/global.aspx
- Select the EnableSessionCoupling option and save your changes.
TLS & Cipher Suites
Supported by: Orion Platform 2019.4 and later
See TLS Compatibility with Orion Platform products for details.
How to enable
SolarWinds recommends that you enable TLS machine-wide. You can use IISCrypto or alter Windows registry keys on your own:
- IIS Crypto (© 2020 Nartac Software, obtained from https://www.nartac.com/Products/IISCrypto on October 1, 2020).
- Restrict the use of certain cryptographic algorithms and protocols in Schannel.dll (© 2020 Microsoft, obtained from https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc on October 1, 2020).
It is also possible to configure protocols for Orion services only.
RabbitMQ
You can configure all cipher suites that RabbitMQ accepts (and which TLS version) in \ProgramData\SolarWinds\Orion\RabbitMQ\rabbitmq.config configuration file.
Go to the ssl_options section and find the following subsections:
- _ciphers: You can set cipher suites that RabbitMQ accepts, these should correspond with your system-wide settings (set by IIS Crypto).
- _versions: You can specify TLS versions here.
See TLS Support for details (© 2007-2020 VMware Inc. or its affiliates, obtained from https://www.rabbitmq.com/ssl.html#tls-versions on October 1, 2020).
SolarWinds uses the classic config format of the config file (there is section on how the setting of cipher suites must look like).
Recommended Crypto setting
Global machine setting: NON DEFAULT
Server/Client Protocol: TLS 1.2
Ciphers: AES 128 / 128, AES 256/256
Hashes: SHA1, SHA256, SHA384, SHA512
Key exchanges: Diffie-Hellman, PKCS, ECDH (DHE Miminum key length 2048 bit)
RabbitMQ Config: DEFAULT
RabbitMQ config has two default cipher suites settings which are configured by FIPS Manager:
FIPS Mode On Ciphers
{dhe_rsa,aes_256_gcm,aead,sha384}
{dhe_dss,aes_256_gcm,aead,sha384}
{dhe_rsa,aes_256_cbc,sha256}
{dhe_dss,aes_256_cbc,sha256}
{dhe_rsa,aes_128_gcm,aead,sha256}
{dhe_dss,aes_128_gcm,aead,sha256}
{dhe_rsa,aes_128_cbc,sha256}
{dhe_dss,aes_128_cbc,sha256}
FIPS Mode Off Ciphers
{ecdhe_rsa, aes_256_gcm, aead, sha384}
{ecdhe_ecdsa, aes_256_gcm, aead, sha384}
{ecdhe_rsa, aes_256_cbc, sha384, sha384}
{ecdhe_ecdsa, aes_256_cbc, sha384, sha384}
{ecdhe_rsa, aes_128_gcm, aead, sha256}
{ecdhe_ecdsa, aes_128_gcm, aead, sha256}
{ecdhe_rsa, aes_128_cbc, sha256, sha256}
{ecdhe_ecdsa, aes_128_cbc, sha256, sha256}
{ecdh_rsa, aes_256_gcm, aead, sha384}
{ecdh_ecdsa, aes_256_gcm, aead, sha384}
{ecdh_rsa, aes_256_cbc, sha384, sha384}
{ecdh_ecdsa, aes_256_cbc, sha384, sha384}
{ecdh_rsa, aes_128_gcm, aead, sha256}
{ecdh_ecdsa, aes_128_gcm, aead, sha256}
{ecdh_rsa, aes_128_cbc, sha256, sha256}
{ecdh_ecdsa, aes_128_cbc, sha256, sha256}
{dhe_rsa, aes_256_gcm, aead, sha384}
{dhe_dss, aes_256_gcm, aead, sha384}
{dhe_rsa, aes_256_cbc, sha256}
{dhe_dss, aes_256_cbc, sha256}
{dhe_rsa, aes_128_gcm, aead, sha256}
{dhe_dss, aes_128_gcm, aead, sha256}
{dhe_rsa, aes_128_cbc, sha256}
{dhe_dss, aes_128_cbc, sha256}
TLS Certificate Validation
Supported by: Orion Platform 2019.2 and later
As required by CC PP, TLS certificates should be fully validated.
How to enable
Log in to the Orion Web Console as an administrator and go to Advanced Configuration. Adjust the Orion Web Console URL as follows: [hostname]/Orion/Admin/advancedconfiguration/global.aspx)
Select the following options and save your changes:
- CheckOnCertificateChainErrors
- CheckOnCertificateNameMismatch
- CheckOnCertificateRevocation
SAML Signing
Supported by: Orion Platform 2018.4 and later (not by default)
Applicable when Single sign-on is used. By default, only one signature is required and validated (assertion or SAML response).
You can configure the Orion Platform to require a specific validation or both validations.
See Authenticate Orion Platform users with SAML v2 for configuration details.
How to enable
Log in to the Orion Web Console as an administrator and go to Advanced Configuration. Adjust the Orion Web Console URL as follows: [hostname]/Orion/Admin/advancedconfiguration/global.aspx)
Select the following options and save your changes:
- SamlAssertionSigningRequired
- SamlResponseSigningRequired
Sensitive Exception Details
Supported by: Orion Platform 2019.2 and later (disabled by default)
By default, only users with Administrator rights can see detailed exceptions. This setting protects you from disclosing sensitive information (variable names, SQL strings, system path information, and source/program code or call stacks) to Orion users.
How to disable
Log in to the Orion Web Console as an administrator and go to Advanced Configuration. Adjust the Orion Web Console URL as follows: [hostname]/Orion/Admin/advancedconfiguration/global.aspx
Clear the IncludeErrorDetail option and save your changes.
Server Information Headers (Banner)
Supported by: Orion Platform 2020.2 or later
Not to disclose server information in headers (Server - Specifies the webserver version. X-Powered-By - Indicates that the website is “powered by ASP.NET.” X-AspNet-Version - Specifies the version of ASP.NET used), apply additional configuration on IIS.
How to configure
See Disable the IIS web banner and other IIS headers in the Orion Platform for details.
Session Timeouts
You can configure your Orion Platform sessions to time out after a shorter time than the default 25 minutes.
Log in to the Orion Web Console as an administrator and click Settings > All Settings in the menu bar.
In the Product Specific Settings grouping, click Web Console Settings.
In Session Timeout, type a shorter time period than the default, and save your changes. The default is 25 minutes.
Browser Auto-Complete
Supported by 2020.2.6 and later
Browser auto-complete can store sensitive data and can be disabled by setting correct attribute to input html element. Browser auto-complete is now disabled on Login page and some admin pages.
How to enable/disable
Connect to Orion database and update the WebSettings table.
SET ‘UseBrowserAutoComplete’ to 'True’/’False’.