Vulnerability Description
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in Network Performance Monitor (NPM) before 11.5, NetFlow Traffic Analyzer (NTA) before 4.1, Network Configuration Manager (NCM) before 7.3.2, IP Address Manager (IPAM) before 4.3, User Device Tracker (UDT) before 3.2, VoIP & Network Quality Manager (VNQM) before 4.2, Server & Application Manager (SAM) before 6.2, Web Performance Monitor (WPM) before 2.2, and possibly other Solarwinds products, allow remote authenticated users to execute arbitrary SQL commands via the (1) dir or (2) sort parameter to the (a) GetAccounts or (b) GetAccountGroups endpoint.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Solarwinds | Orion Ip Address Manager | <= 4.2 |
| Solarwinds | Orion Netflow Traffic Analyzer | <= 4.0 |
| Solarwinds | Orion Network Configuration Manager | <= 7.3.1 |
| Solarwinds | Orion Network Performance Monitor | <= 11.4 |
| Solarwinds | Orion Server And Application Manager | <= 6.1 |
| Solarwinds | Orion User Device Tracker | <= 3.1 |
| Solarwinds | Orion Voip \& Network Quality Manager | <= 4.1 |
| Solarwinds | Orion Web Performance Monitor | <= 2.1 |
Related Weaknesses (CWE)
References
- http://osvdb.org/show/osvdb/118746
- http://packetstormsecurity.com/files/130637/Solarwinds-Orion-Service-SQL-InjectiExploit
- http://seclists.org/fulldisclosure/2015/Mar/18Exploit
- http://volatile-minds.blogspot.com/2015/02/authenticated-stacked-sql-injection-iExploit
- http://www.exploit-db.com/exploits/36262Exploit
- http://www.solarwinds.com/documentation/orion/docs/releasenotes/releasenotes.htmVendor Advisory
- https://github.com/rapid7/metasploit-framework/pull/4836
- http://osvdb.org/show/osvdb/118746
- http://packetstormsecurity.com/files/130637/Solarwinds-Orion-Service-SQL-InjectiExploit
- http://seclists.org/fulldisclosure/2015/Mar/18Exploit
- http://volatile-minds.blogspot.com/2015/02/authenticated-stacked-sql-injection-iExploit
- http://www.exploit-db.com/exploits/36262Exploit
- http://www.solarwinds.com/documentation/orion/docs/releasenotes/releasenotes.htmVendor Advisory
- https://github.com/rapid7/metasploit-framework/pull/4836
FAQ
What is CVE-2014-9566?
CVE-2014-9566 is a vulnerability with a CVSS score of 7.5 (HIGH). Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in Network Performance Monitor (NPM) before 11...
How severe is CVE-2014-9566?
CVE-2014-9566 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-9566?
Check the references section above for vendor advisories and patch information. Affected products include: Solarwinds Orion Ip Address Manager, Solarwinds Orion Netflow Traffic Analyzer, Solarwinds Orion Network Configuration Manager, Solarwinds Orion Network Performance Monitor, Solarwinds Orion Server And Application Manager.