How are passwords stored in the Orion database? I know they are not clear text but are they encrypted or hashed and if so with what algorithms?
Newer (non legacy) installs of the Orion platform have the database-stored credentials encrypted/decrypted via PKI (see the details of the SolarWinds-Orion certificate). This certificate is shared among the primary poller and all scalability engines. Orion accounts use a salted hash (SHA512), where each account has its own hash. The algorithms are FIPS complaint.
Hi Peter.Cooper do you know how to decrypt the Orion account password? Thanks!
I've referred to the orion account password being hashed, which means we can't decrypt the password.
Imagine an algorithm where we separate every character of your password and add them up. Next, we store that result in the database, perform the same task every time you log in, and check for equality. That would mean that we don't actually store the password. Now imagine that the algorithm used (add them up) is cryptographically strong and fine for use in military applications. The only way to fetch your original password is with a rainbow table (where somebody has done that algorithm against common passwords and their variants)... that could yield your original password. Except, that we added some extra data (salt) into the mix which means that the rainbow tables aren't logically usable.
On occasion, I have locked myself out of Orion. When that happens, I have used Microsoft SQL Studio to overwrite the two columns relating to password with values from another database's account where I know the password. Does that help?
Hmmmm... Thanks for the info. That helps.
Hi Peter.Cooper!
If I have multiple CredentialIDs in the CredentialProperty table that are essentially the same Active Directory service account, just for different modules, is there any way for me to update all records simultaneously when I am required to change the AD account's password? I am not sure how else I would be able to satisfy the password change requirement without creating a completely new service account for every credential to prevent the headache that would be AD locks for hours.
Peter.Cooper wrote:Newer (non legacy) installs of the Orion platform have the database-stored credentials encrypted/decrypted via PKI (see the details of the SolarWinds-Orion certificate). This certificate is shared among the primary poller and all scalability engines. Orion accounts use a salted hash (SHA512), where each account has its own hash. The algorithms are FIPS complaint.
Peter.Cooper wrote:
Is there a Solarwinds document or even blog post that details the information you provided? My security department would appreciate this info.
I looked into this recently[1] and figured it was worth updating the forum threads.
Orion password hashing is a variant of a salted SHA512 hash. The hash is computed by first generating a salt that consists of the lowercase username. If the salt is less than 8 bytes long, it is appended with bytes from the string "1244352345234" until it is 8 bytes. For example, the salt for username "ADMIN" would become "admin124", while the salt for "Bo" would become "bo124435". Once the salt has been calculated, a RFC2898 PBKFD2 is generated using the default iteration count of 1000 and the SHA1 hash algorithm. Finally, a SHA512 hash of the PBKDF2 output is taken and encoded using Base64. This hashing function has been implemented in the Ruby script hash-password.rb.
1. https://www.atredis.com/blog/2018/10/24/fun-with-the-solarwinds-orion-platform
-HD
We’re all aware that bad actors are continually looking for ways to gain unauthorized access to your systems. You need to pay attention to your environment and the way it is secured. We recommend that you segment your network, limiting privileges and allow appropriate access from the Orion server to the Orion database.
Are you referring to the Credential Store for the SAM/WMI passwords or the Users logging in to Orion Itself?
for the first case there is a sneaky way to get the stored credentials. You need to be SAM admin though.
Cheers
The blog post link above covers both (Accounts table password hashing and the 1024-bit RSA encryption of the stored credentials). This thread was specifically about the Accounts table password hashing format.
