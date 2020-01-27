SolarWinds MSP releases two hotfixes (i.e., software patches) that address N-central Dumpster Diver vulnerability. Huntress Labs described the vulnerability in a blog.

SolarWinds MSP has issued two hotfixes (i.e., software patches) that address the so-called N-central “Dumpster Diver” vulnerability.

The two hotfixes are now available for N-central 12.0 SP1 and above. They can be found and downloaded from here (login required):

Huntress Labs describes the Dumpster Diver vulnerability and its potential implications for MSPs (managed IT services providers) in this blog post.

The vulnerability potentially “allows remote attackers to retrieve cleartext domain admin credentials from the Agent & Probe settings, and obtain other sensitive information,” according to MITRE. “The attacker can use a customer ID to self register and read any aspects of the agent/appliance configuration.”

SolarWinds MSP is not aware of any exploits that hit the vulnerability. The MSP software provider followed standard protocol, and worked with the ethical researcher since the issue was disclosed privately in October 2019, the company says.

Tim Brown, VP of security at SolarWinds, offered this prepared statement: “We thank the researcher for acting in a responsible manner to help protect the community. At SolarWinds, we are committed to staying on top of threats, and working with researchers and our community to provide the help our partners need to stay safe.”

SolarWinds MSP offers a family of tools that help MSPs to automate their own businesses, and remotely manage customer systems. The product portfolio includes SolarWinds N-central (from the former N-able Technologies) — which is not to be confused with SolarWinds RMM (from the former LogicNow).

The SolarWinds hotfixes surface at a time when MSPs and their various software platforms remain prime targets for attack. The FBI and U.S. Department of Homeland Security have repeatedly warned MSPs and their technology platform providers about such attacks.

To get ahead of the cyber threat, ChannelE2E and MSSP Alert have recommended that readers: