CVE-2018-16791 – CVE-2018-16791 allows attackers to read and mod... (How to Fix)

Q: What is the severity of CVE-2018-16791?

CVE-2018-16791 has a CVSS score of 9.8 (CRITICAL). CVE-2018-16791 allows attackers to read and modify the configuration file of SolarWinds SFTP/SCP Server, exposing stored passwords in plaintext or weak encryption. This enables credential theft and server backdooring. Organizations using SolarWinds SFTP/SCP Server through version 2018-09-10 are affected.

📋 TL;DR

CVE-2018-16791 allows attackers to read and modify the configuration file of SolarWinds SFTP/SCP Server, exposing stored passwords in plaintext or weak encryption. This enables credential theft and server backdooring. Organizations using SolarWinds SFTP/SCP Server through version 2018-09-10 are affected.

💻 Affected Systems

Products:

SolarWinds SFTP/SCP Server

Versions: All versions through 2018-09-10

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration where the configuration file has insecure permissions and stores passwords weakly.

📦 What is this software?

Sftp\/scp Server by Solarwinds

View all CVEs affecting Sftp\/scp Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise with administrative access, credential theft for all configured accounts, and persistent backdoor installation allowing ongoing unauthorized access.

🟠

Likely Case

Unauthorized access to sensitive files, credential harvesting for SFTP/SCP users, and potential lateral movement within the network.

🟢

If Mitigated

Limited to local file system access if proper network segmentation and access controls are implemented.

🌐 Internet-Facing: HIGH - Directly exposed servers can be compromised remotely if accessible.

🏢 Internal Only: HIGH - Internal attackers or compromised systems can exploit this vulnerability locally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local or remote file system access to read/write the configuration file. Public disclosure includes technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2018-09-10

Vendor Advisory: https://www.solarwinds.com/securityadvisory

Restart Required: Yes

Instructions:

1. Upgrade SolarWinds SFTP/SCP Server to version after 2018-09-10. 2. Restart the service. 3. Verify configuration file permissions are secure.

🔧 Temporary Workarounds

Secure Configuration File Permissions

linux

Restrict read/write access to the configuration file to authorized users only.

chmod 600 /path/to/sftpserver.conf
chown root:root /path/to/sftpserver.conf

Windows ACL Restriction

windows

Set strict NTFS permissions on the configuration file.

icacls "C:\Program Files\SolarWinds\SFTP Server\config.xml" /inheritance:r /grant:r "Administrators:F" /grant:r "SYSTEM:F"

🧯 If You Can't Patch

Implement strict network segmentation to isolate the SFTP/SCP server from untrusted networks.
Monitor file system access to the configuration file and alert on unauthorized modifications.

🔍 How to Verify

Check if Vulnerable:

Check if configuration file (e.g., sftpserver.conf or config.xml) has world-readable permissions and contains plaintext or weakly encrypted passwords.

Check Version:

sftpserver --version or check SolarWinds management interface for version info

Verify Fix Applied:

Verify configuration file permissions are restricted (e.g., 600 on Linux, limited ACLs on Windows) and passwords are no longer stored insecurely.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to configuration file
Unexpected modifications to SFTP/SCP server configuration

Network Indicators:

Unusual SFTP/SCP connections from unexpected IP addresses
Anomalous data exfiltration patterns

SIEM Query:

source="sftpserver.log" AND (event="config_file_access" OR event="password_reset")

📊 Metadata

CVE ID: CVE-2018-16791

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-522

Published: December 5, 2018

Last Updated: November 21, 2024

🔗 References

https://seclists.org/fulldisclosure/2018/Dec/0 Mailing List,Third Party Advisory
https://seclists.org/fulldisclosure/2018/Dec/0 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-16791, you might also want to check these: