SolarWinds MSP has issued two hotfixes (i.e., software patches) that address the so-called N-central “Dumpster Diver” vulnerability.
The two hotfixes are now available for N-central 12.0 SP1 and above. They can be found and downloaded from here (login required):
Huntress Labs describes the Dumpster Diver vulnerability and its potential implications for MSPs (managed IT services providers) in this blog post.
The vulnerability potentially "allows remote attackers to retrieve cleartext domain admin credentials from the Agent & Probe settings, and obtain other sensitive information," according to MITRE. "The attacker can use a customer ID to self register and read any aspects of the agent/appliance configuration."
SolarWinds MSP is not aware of any exploits that hit the vulnerability. The MSP software provider followed standard protocol, and worked with the ethical researcher since the issue was disclosed privately in October 2019, the company says.
Tim Brown, VP of security at SolarWinds, offered this prepared statement: “We thank the researcher for acting in a responsible manner to help protect the community. At SolarWinds, we are committed to staying on top of threats, and working with researchers and our community to provide the help our partners need to stay safe.”
SolarWinds MSP offers a family of tools that help MSPs to automate their own businesses, and remotely manage customer systems. The product portfolio includes SolarWinds N-central (from the former N-able Technologies) -- which is not to be confused with SolarWinds RMM (from the former LogicNow).
The SolarWinds hotfixes surface at a time when MSPs and their various software platforms remain prime targets for attack. The FBI and U.S. Department of Homeland Security have repeatedly warned MSPs and their technology platform providers about such attacks.
To get ahead of the cyber threat, ChannelE2E and MSSP Alert have recommended that readers:
- Sign up immediately for U.S. Department of Homeland Security Alerts, which are issued by the Cybersecurity and Infrastructure Security Agency. Some of the alerts specifically mention MSPs, CSPs, telcos and other types of service providers.
- Study the NIST Cybersecurity Framework to understand how to mitigate risk within your own business before moving on to mitigate risk across your customer base.
- Explore cybersecurity awareness training for your business and your end-customers to drive down cyberattack hit rates.
- Connect the dots between your cybersecurity and data protection vendors. Understand how their offerings can be integrated and aligned to (A) prevent attacks, (B) mitigate attacks and (C) recover data if an attack circumvents your cyber defenses.
- Continue to attend channel-related conferences, but extend to attend major cybersecurity events — particularly RSA Conference, Black Hat and Amazon AWS re:Inforce. (PS: Also, keep your eyes open for PerchyCon 2020 in January.)
