Advisory Details

This vulnerability allows attackers to execute arbitrary code on vulnerable installations of SolarWinds Server and Application Monitor. This vulnerability requires the attacker to have an unprivileged account on the system.

The specific flaw exists within the Alert Manager component. Alerts within this component can be configured in a way that allows for the execution of arbitrary scripts or programs. An attacker can leverage this to elevate privileges and execute code in the context of NT Authority\SYSTEM.

This vulnerability is being disclosed publicly without a patch because vendor indicates that the vulnerability does not meet the bar for security servicing.

09/04/2014 - ZDI disclosed to the vendor
09/08/2014 - Vendor indicated 'by design' and that no fix would be forthcoming

-- Mitigation:

Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted users.

• 2014-09-04 - Vulnerability reported to vendor
• 2015-10-05 - Coordinated public release of advisory