CVE-2020-25621
https://notcve.org/view.php?id=CVE-2020-25621
An issue was discovered in SolarWinds N-Central 12.3.0.670. The local database does not require authentication: security is only based on ability to access a network interface. The database has keys and passwords. Se detectó un problema en SolarWinds N-Central versión 12.3.0.670. La base de datos local no requiere autenticación: la seguridad solo es basada en la capacidad de acceder a una interfaz de red. • https://ernw.de/en/publications.html https://insinuator.net/2020/12/security-advisories-for-solarwinds-n-central https://support.solarwinds.com/SuccessCenter/s • CWE-306: Missing Authentication for Critical Function •
CVE-2020-25620
https://notcve.org/view.php?id=CVE-2020-25620
An issue was discovered in SolarWinds N-Central 12.3.0.670. Hard-coded Credentials exist by default for local user accounts named support@n-able.com and nableadmin@n-able.com. These allow logins to the N-Central Administrative Console (NAC) and/or the regular web interface. Se detectó un problema en SolarWinds N-Central versión 12.3.0.670. Se presentan Credenciales Embebidas por defecto para las cuentas de usuario locales denominadas support@n-able.com y nableadmin@n-able.com. • https://ernw.de/en/publications.html https://insinuator.net/2020/12/security-advisories-for-solarwinds-n-central https://support.solarwinds.com/SuccessCenter/s • CWE-798: Use of Hard-coded Credentials •
CVE-2020-25619
https://notcve.org/view.php?id=CVE-2020-25619
An issue was discovered in SolarWinds N-Central 12.3.0.670. The SSH component does not restrict the Communication Channel to Intended Endpoints. An attacker can leverage an SSH feature (port forwarding with a temporary key pair) to access network services on the 127.0.0.1 interface, even though this feature was only intended for user-to-agent communication. Se detectó un problema en SolarWinds N-Central versión 12.3.0.670. El componente SSH no restringe el Canal de Comunicación a unos Endpoints Previstos. • https://ernw.de/en/publications.html https://insinuator.net/2020/12/security-advisories-for-solarwinds-n-central https://support.solarwinds.com/SuccessCenter/s •
CVE-2020-25618
https://notcve.org/view.php?id=CVE-2020-25618
An issue was discovered in SolarWinds N-Central 12.3.0.670. The sudo configuration has incorrect access control because the nable web user account is effectively able to run arbitrary OS commands as root (i.e., the use of root privileges is not limited to specific programs listed in the sudoers file). Se detectó un problema en SolarWinds N-Central versión 12.3.0.670. La configuración de sudo presenta un control de acceso incorrecto porque la cuenta de usuario web nable puede ejecutar comandos arbitrarios del Sistema Operativo como root (es decir, el uso de privilegios root no se limita a los programas específicos listados en el archivo sudoers) • https://ernw.de/en/publications.html https://insinuator.net/2020/12/security-advisories-for-solarwinds-n-central https://support.solarwinds.com/SuccessCenter/s • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2020-25617
https://notcve.org/view.php?id=CVE-2020-25617
An issue was discovered in SolarWinds N-Central 12.3.0.670. The AdvancedScripts HTTP endpoint allows Relative Path Traversal by an authenticated user of the N-Central Administration Console (NAC), leading to execution of OS commands as root. Se detectó un problema en SolarWinds N-Central versión 12.3.0.670. El endpoint HTTP AdvancedScripts permite un Salto de Ruta Relativo por parte de un usuario autenticado del N-Central Administration Console (NAC), conllevando a una ejecución de los comandos del Sistema Operativo como root • https://ernw.de/en/publications.html https://insinuator.net/2020/12/security-advisories-for-solarwinds-n-central https://support.solarwinds.com/SuccessCenter/s • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •