Certificate Report
Version 1.0
2 August 2022
CSA_CC_20001
For
SolarWinds Security Event Manager v2019.4
From
SolarWinds Worldwide, LLC
Certification Report v1.0 Page 2
This page is left blank intentionally
Certification Report v1.0 Page 3
Foreword
Singapore is a Common Criteria Certificate Authorising Nation under the Common
Criteria Recognition Arrangement (CCRA). The current list of signatory nations
and approved certification schemes can be found at the CCRA portal:
https://www.commoncriteriaportal.org
The Singapore Common Criteria Scheme (SCCS) is established for the info-
communications technology (ICT) industry to evaluate and certify their IT products
against the requirements of the Common Criteria for Information Technology
Security Evaluation (CC), Version 3.1 (ISO/IEC 15408) and Common
Methodology for Information Technology Security Evaluation (CEM) Version 3.1
(ISO/IEC 18045) in Singapore.
The SCCS is owned and managed by the Certification Body (CB) under the ambit
of Cyber Security Agency of Singapore (CSA).
The SCCS certification signifies that the target of evaluation (TOE) under
evaluation has been assessed and found to provide the specified IT security
assurance. However, certification does not guarantee absolute security and
should always be read with the particular set of threats sought to be addressed
and assumptions made in the process of evaluation.
This certification is not an endorsement of the product.
Certification Report v1.0 Page 4
Amendment Record
Version Date Changes
1.0 2 August 2022 Released
NOTICE
The Cyber Security Agency of Singapore makes no warranty of any kind with
regard to this material and shall not be liable for errors contained herein or
for incidental or consequential damages in connection with the use of this
material.
Certification Report v1.0 Page 5
Executive Summary
This report is intended to assist the end-user of the product in determining the
suitability of the product in their deployed environment.
The Target of Evaluation (TOE) is a SolarWinds Security Event Manager (SEM)
v2019.4 and has undergone the CC certification procedure at the Singapore Common
Criteria Scheme (SCCS). The TOE comprises of the following components:
Software
â–ª SolarWinds Security Event Manager v2019.4
TOE preparative and operative guidance (in PDF format)
â–ª SEM-2019-4: Installation-Guide, 29 Jul 2021
â–ª SEM-2019-4: Admin-Guide, 29 Jul 2021
â–ª SEM-2019-4: Getting-started-guide, 25 Feb 2020
â–ª SEM-2019-4: Common Criteria Supplement v1.9, 3 Aug 2022
TOE is a security information and event management (SIEM) virtual appliance that
provides access to log data for forensic and troubleshooting purposes, and tools to
help manage log data.
TOE collects, stores, and normalizes log and event data from a variety of sources, and
displays that data in a web interface for monitoring, searching, and analysis. Data is
also available for scheduled and ad hoc reporting.
The evaluation of the TOE has been carried out by UL Verification Services Pte Ltd,
an approved CC test laboratory at the assurance level CC EAL2, augmented by
ALC_FLR.2 and completed on 12 August 2022. The certification body monitored each
evaluation to ensure a harmonised procedure and interpretation of the criteria has
been applied.
The TOE Security Functional Requirements are implemented by the following TOE
Security Functionality:
TOE Security Functionality Addressed Issue
Audit Audit records are generated for any specific
operations on TOE.
Identification and
Authentication
Before user may access TOE function, I&A is
mandatory.
Management The management TOE security functionalities, such
as assigning user role.
Log and Event Management Manage the log and event collected from remote
systems.
Secure Communication TOE support secure protocol, such as TLS v1.2 for
communication over a computer network.
Table 1: TOE Security Functionalities
Please refer to the Security Target [SolarWinds Worldwide, LLC. (2022, March 10).
SolarWinds SEM Security Target v0.6.] for more information.
Certification Report v1.0 Page 6
The assets to be protected by the TOE has been defined. Based on these assets, the
TOE Security Problem Definition has been defined in terms of Assumptions, Threats
and Organisation Policies. These are outlined in Chapter 3 of the Security Target.
This Certification covers the configurations of the TOE as outlined in Chapter 5.3 of
this report.
The certification results only apply to the version of the product indicated in the
certificate and on the condition that all the stipulations are kept as detailed in this
Certification Report. This certificate applies only to the specific version and release of
the IT product in its evaluated configuration. This certificate is not an endorsement of
the IT product by SCCS, and no warranty of the IT product by SCCS, is either
expressed or implied.
Certification Report v1.0 Page 7
Table of Contents
1 CERTIFICATION.................................................................................................. 8
1.1 PROCEDURE .................................................................................................... 8
1.2 RECOGNITION AGREEMENTS ............................................................................. 8
2 VALIDITY OF THE CERTIFICATION RESULT ................................................... 9
3 IDENTIFICATION............................................................................................... 10
4 SECURITY POLICY........................................................................................... 11
5 ASSUMPTIONS AND SCOPE OF EVALUATION............................................. 11
5.1 ASSUMPTIONS.................................................................................................11
5.2 CLARIFICATION OF SCOPE............................................................................... 12
5.3 EVALUATED CONFIGURATION........................................................................... 12
5.4 NON-EVALUATED FUNCTIONALITIES ................................................................. 12
5.5 NON-TOE COMPONENTS................................................................................ 13
6 DOCUMENTATION............................................................................................ 13
7 IT PRODUCT TESTING...............................................................................................14
7.1 DEVELOPER TESTING (ATE_FUN) .............................................................................14
7.1.1 Test Approach and Depth....................................................................................14
7.1.2 Test Configuration...............................................................................................14
7.1.3 Test Results..........................................................................................................14
7.2 EVALUATOR TESTING (ATE_IND)..............................................................................15
7.2.1 Test Approach and Depth....................................................................................15
7.2.2 Test Configuration...............................................................................................15
7.2.3 Test Results..........................................................................................................16
7.3 PENETRATION TESTING (AVA_VAN)..........................................................................16
7.3.1 Test Approach and Depth....................................................................................16
8 RESULTS OF THE EVALUATION..............................................................................16
9 ACRONYMS...................................................................................................................19
Certification Report v1.0 Page 8
1 Certification
1.1 Procedure
The certification body conducts the certification procedure according to the following
criteria:
• Common Criteria for IT Security Evaluation (CC) Common Criteria for Information
Technology Security Evaluation, Version 3.1 Revision 5, ISO/IEC 15408
• Common Methodology for IT Security Evaluation (CEM), Version 3.1 Revision 5,
ISO/IEC 18045
• SCCS scheme publications
1.2 Recognition Agreements
The international arrangement on the mutual recognition of certificates based on the
Common Criteria Recognition Arrangement had been ratified on 2 July 2014. The
arrangement covers certificates with claims of compliance against collaborative
protection profiles (cPPs) or evaluation assurance levels (EALs) 1 through 2 and
ALC_FLR.
Singapore is authorised to issue CC certificates recognised widely through the
Common Criteria Recognition Arrangement (CCRA) by the member nations. Hence,
the certification for this TOE is fully covered by the CCRA.
The Common Criteria Recognition Arrangement Logo printed on this certificate
indicates that this certification is recognised under the terms of this agreement by all
signatory nations listed on the CC web portal (http://www.commoncriteriaportal.org).
Certification Report v1.0 Page 9
2 Validity of the Certification Result
This Certification Report only applies to the version of the TOE as indicated. The
Certificate is valid till 1 August 20271.
In cases of changes to the certified version of the TOE, the validity may be extended
to new versions and releases provided the TOE sponsor applies for Assurance
Continuity (i.e. re-certification or maintenance) of the revised TOE, in accordance with
the requirements of the SCCS.
The owner of the Certificate is obliged:
▪ When advertising the Certificate or the fact of the product’s certification, to refer
to and provide the Certification Report, the Security Target and user guidance
documentation herein to any customer of the product for the application and
usage of the certified product;
â–ª To inform the SCCS immediately about vulnerabilities of the product that have
been identified by the developer or any third party; and
â–ª To inform the SCCS immediately in the case that relevant security changes in
the evaluated life cycle has occurred or the confidentiality of documentation and
information related to the TOE or resulting from the evaluation and certification
procedure where the certification of the product has assumed this confidentiality
being maintained, is no longer valid.
1
Certificate validity could be extended by means of assurance continuity. Certificate could also be revoked under
the conditions specified in SCCS Publication 3 (Cyber Security Agency of Singapore (CSA), 2018). Potential
users should check the SCCS website (https://www.csa.gov.sg/Programmes/certification-and-labelling-
schemes/csa-common-criteria/product-list) for the up-to-date status regarding the certificate’s validity.
Certification Report v1.0 Page 10
3 Identification
The Target of Evaluation (TOE) is the SolarWinds Security Event Manager v2019.4.
The following table identifies the TOE deliverables.
Type Name Version Form of Delivery
SW SolarWinds Security Event Manager Version
2019.4
Delivered by hand
DOC SolarWinds Security Event Manager
Getting Started Guide
Version
2019.4, 25
Feb 2020
PDF format delivered
via email.
DOC SolarWinds Security Event Manager
Installation Guide
Version
2019.4, 29
Jul 2021
PDF format delivered
via email.
DOC SolarWinds Security Event Manager
Administrator Guide
Version
2019.4, 29
Jul 2021
PDF format delivered
via email.
DOC SolarWinds Security Event Manager
Common Criteria Supplement, v1.9
Version
2019.4, 03
Aug 2022
PDF format delivered
via email.
Table 2: Deliverables of the TOE
The guide for receipt and acceptance of the above-mentioned TOE are described in
the set of guidance documents [2 ], [3 ], [4 ] and [5 ].
Additional identification information relevant to this Certification procedure as follows:
TOE SolarWinds Security Event Manager (SEM) v2019.4
Security Target SolarWinds Security Event Manager Security Target v0.6
CC Scheme Singapore Common Criteria Scheme (SCCS)
Methodology Common Criteria for Information Technology Security
Evaluation, Version 3.1 Revision 5
Assurance Level EAL 2 augmented ALC_FLR.2
Developer SolarWinds Worldwide, LLC
Sponsor SolarWinds Worldwide, LLC
Evaluation
Facility
UL Verification Services Pte Ltd
Certification Body Cyber Security Agency of Singapore (CSA)
Certification ID CSA_CC_20001
Certificate Validity 2 August 2022 till 1 August 2027
Table 3: Additional Identification Information
Certification Report v1.0 Page 11
4 Security Policy
The TOE’s Security Policy is expressed by the set of Security Functional
Requirements and implemented by the TOE.
The TOE implements policies pertaining to the following security functional classes:
• Audit
• Identification and Authentication
• Management
• Log and Event Management
• Secure Communication
Specific details concerning the above-mentioned security policies can be found in
chapter 7 of the Security Target [1 ].
5 Assumptions and Scope of Evaluation
5.1 Assumptions
The assumptions defined in the Security Target and some aspects of Threats and
Organisational Security Policies are not covered by the TOE itself. These aspects lead
to specific security objectives to be fulfilled by the TOE environment and are listed in
the tables below
Table 4: Objectives for the Operational Environment
Details can be found in Section 4.2 of the Security Target [1 ].
Security Objectives Description
OE.COMM The Operational Environment will protect communication
between the TOE, SEM Agent and systems outside the TOE.
OE.ENVIRON The Administrator will install the TOE in an environment that
provides physical security, uninterruptible power, and
temperature control required for reliable operation.
OE.INSTALL The Administrator will install and configure the TOE according
to the administrator guidance.
OE.INTROP The IT Systems which the TOE monitors is interoperable with
the TOE
OE.NETWORK The Administrator will install and configure a network that
supports communication between TOE and other IT systems.
The administrator will ensure that this network functions
properly.
OE.NOEVILADMIN Administrators are non-hostile and follow the administrator
guidance when using the TOE.
Certification Report v1.0 Page 12
5.2 Clarification of Scope
The scope of evaluation is limited to those claims made in the Security Target [1 ].
5.3 Evaluated Configuration
The scope of evaluation is limited to those claims made in the Security Target [1 ].
The Target of Evaluation is SolarWinds Security Event Manager (SEM) 2019.4. SEM
is a security information and event management (SIEM) that consolidates log data for
forensic and troubleshooting purposes, and tools to help manage log data.
The evaluated configuration consists of the following:
1. One instance of the SEM installed and executing on a supported hypervisor.
The following installation and configuration options must be used:
1. All User Accounts are defined as SEM Users.
2. Custom Widgets are not configured.
3. The Password Policy must be configured to require all passwords to meet
complexity requirements.
4. Administrators configure passwords in accordance with the password policies
for their organization.
5. The SEM is configured for log message storage and nDepth search.
6. The Enable Global Automatic Updates parameter is not set, since this could
cause the TOE to be changed from the evaluated version
5.4 Non-Evaluated Functionalities
There are no non-evaluated functionalities within the scope as clarified in section 5.2.
Certification Report v1.0 Page 13
5.5 Non-TOE Components
The TOE requires additional components (i.e. hardware/software/firmware) for its
operation. These non-TOE components include:
• Hypervisor
• CPU
• Memory
• Hard Drive
• Web Browser
More information is available in Section 1.5.3 Required Non-TOE
Hardware/Software/Firmware of the Security Target [1 ].
6 Architecture Design Information
SEM acts as a monitoring and management tool for use by network managers. It
collects logs and events from multiple remote third-party systems, and alerts the
network managers to specified conditions.
Users interact with the TOE via multiple mechanisms. Consoles (including SEM
console, SEM event console and SEM CMC console) are provided for remote
interaction with users and administrators for configuration and data access.
The TOE consists of five subsystems as follows:
1. SEM Manager
a. SEM Manager is the essential subsystem of TOE, which support most
of the TSFs, this subsystem is not directly access by TOE user, need to
use consoles or report application.
2. SEM Consoles
a. SEM Consoles provides the user access to SEM Manager to conduct
TOE management and event management. When configuration
changes are made, the updated information is saved and acted on.
3. SEM CMC Command Line Interface (CLI)
a. SEM CMC command line interface (CLI) is used to establish connections
to the TOE via using SSH client on a remote IT system for TOE
management.
4. SEM Events Console
a. SEM Event Console provides the user access to the SEM Manager
monitoring functions from remote systems via browser sessions. It
retrieves and displays the appropriate information via the browser
session.
5. SEM Admin User Interface
a. SEM Admin User Interface provides the user access to the SEM
Certification Report v1.0 Page 14
Manager configuration functions from remote IT systems via browser
sessions. This subsystem allows users to configure LDAP
authentication, SSO configuration and the ability to enable/disable local
SEM users.
7 Documentation
The evaluated documentation as listed in Table 2: Deliverables of the TOE is being
provided with the product to the customer. This documentation contains the required
information for secure usage of the TOE in accordance with the Security Target.
8 IT Product Testing
8.1 Developer Testing (ATE_FUN)
8.1.1 Test Approach and Depth
The developer has performed testing most of the interfaces. Interfaces that were not
tested were included as additional test cases under ATE_IND.
8.1.2 Test Configuration
In the SEM Test Configuration, a SEM virtual appliance was deployed as a guest virtual
machine running on first VMware vSphere and then Microsoft Hyper-V hypervisor
hosts. The SEM virtual appliance is setup on a local area network where
communication is allowed between the evaluator Workstation and the SEM Manager.
The Workstation includes a web browser and is configured to make requests via
HTTPS encrypted with TLS.
An overview of the purpose of each of these systems is provided in the following table.
Other systems may be present as well.
Workstation
10.150.16.167
SEM Virtual
Appliance
10.150.16.78
Certification Report v1.0 Page 15
System Purpose
SEM Virtual
Appliance
SEM Virtual Appliance deployed to either VMware
vSphere or Microsoft Hyper-V running SEM Manager.
Workstation Windows 10/Windows Server 2016/2012 workstation with
SEM Console installed.
8.1.3 Test Results
All test results from tested environments showed that the expected test results are
identical to the actual test results.
8.2 Evaluator Testing (ATE_IND)
8.2.1 Test Approach and Depth
To gain confidence that the developer’s testing was sufficient to ensure the correct
operation of the TOE, the evaluator analysed the developer’s test coverage, test plans
and procedures, expected and actual test results.
The evaluator has repeated 4 out of 7 developer’s test cases for verification purpose
and determined that there are no issues.
In addition, the evaluators also devised a set of independent tests that supplements
or augments developer’s existing test plan to gain assurance of the security of the
TOE.
8.2.2 Test Configuration
The evaluator deployed TOE as a guest virtual machine running on Microsoft Hyper-
V hypervisor host. The SEM virtual appliance is setup on a local area network where
communication is allowed between the evaluator’s Workstation and the SEM
Manager.
Figure 1: Environment Setup
Below table is the workstation specification.
Certification Report v1.0 Page 16
Workstation Specifications
Operating System Windows Server 2016 Standard
IP Address 192.168.1.103
Web Browser Google Chrome 92.x (64-bit)
Software Installed • Kiwi Syslog Generator
• Solar-PuTTY
Table 5: Workstation Specification
8.2.3 Test Results
The developer’s test reproduced were verified by the evaluator to conform to the
expected results from the test plan.
8.3 Penetration Testing (AVA_VAN)
8.3.1 Test Approach and Depth
The evaluator performed a public vulnerability search, including a literature review of
conference proceedings, University research, relevant journals, published papers, any
blogs and writeups. The evaluator also considered Internet surveys and online
vulnerability databases. The search was executed with the following criteria:
â–ª Product name (and variants)
▪ Vendor’s name (and variants)
â–ª Product type.
â–ª Name of any components supported in the TOE operational environment or
integrated in the TOE
The search provided the evaluator with a view of the vulnerabilities at the time of the
TOE analysis. In combination with the search for known vulnerabilities (referred to as
"public domain vulnerabilities") the evaluator performed an independent vulnerability
analysis of the TOE documentation as follows:
â–ª The security architecture of the TOE was analysed and understood based on
the ARC document
â–ª The SFRs defined in the Security Target [1 ] were analysed and for each, a
deep understanding of the SFR was gained based on all the evidence provided
for ADV.
The approach chosen by the evaluator is appropriate for the assurance component
chosen (AVA_VAN.5), treating the resistance of the TOE to an attack with basic attack
potential.
Test ID Description Remarks
Test Case #1 Self-signed certificate This test is to analysis the
possibility of exploiting the
self-signed certificate.
Test Case #2 Insecure communication
assessment
This is to check if network
packets are sent in clear
text
Certification Report v1.0 Page 17
Test Case #3 Missing HTTP security
headers assessment
This test is to check if
there are missing HTTP
security headers and the
value in the security
headers.
Test Case #4 Possible clickjacking
vulnerability (Web
Application Client-Side
Testing)
This test is to check if
SAMEORIGIN from test
case 3 can be bypass and
enable a clickjacking
attack which will allow the
attacker’s page overlays
the target application’s
interface.
Test Case #5 Adobe Flex
resourceModuleURLs
same-origin policy (SOP)
bypass
This test is to check if
SWF file with Adobe Flex
application is vulnerable to
Adobe Flex SDK.
Test Case #6 Default or well-known
credential weakness over
SSH service and proceed
with restricted shell
escape
This test is to check if an
attacker is able to
compromise the default
credential and escape a
restricted shell.
Test Case #7 Restricted shell escape
and further local privilege
escalation
The test is to check if an
attacker can escape a
restricted shell and
perform local privilege
escalation.
Table 6: Penetration Test Cases
The evaluator found no exploitable vulnerability in the TOE when operated in the
evaluated configuration. Residual risk was identified, the table below shows the
summary and recommendation:
Summary Recommendation
The self-signed certificate weakness is affected to
the SolarWinds SEM Events Console and SEM
Admin user interface (TCP port 8443) as well as
other SSL / TLS interfaces – SEM manager
interfaces (TCP port 37890-37891), Secure Syslog
(TCP Port 6514).
Recommended to use
certificate issued by a
trustworthy Certificate
Authority rather than a
self-signed certificate is
specified in user
supplement document
(version 1.9).
Table 7: Residual Risk
9 Results of the Evaluation
The Evaluation Technical Report (ETR) was provided by the CCTL in accordance with
the CC, CEM, requirements of the SCCS. As a result of the evaluation, the verdict
PASS is confirmed for the following assurance components:
Certification Report v1.0 Page 18
• All components of the EAL 2 assurance package assurance package
• ALC_FLR.2
Obligations & Recommendations for Usage of the TOE
The documents as outlined in Table 2: Deliverables of the TOE contain necessary
information about the usage of the TOE and all security hints therein have to be
considered. In addition, all aspects of Assumptions, Threats and OSPs as outlined in
the Security Target [1 ] that are not covered by the TOE shall be fulfilled by the
operational environment of the TOE.
Potential user of the product shall consider the results of the certification within his/her
system risk management process. As attack methods and techniques evolve over
time, he/she should define the period of time whereby a re-assessment of the TOE is
required and convey such request to the sponsor of the certificate.
While under the developer’s guidance document that “The Enable Global Automatic
Updates” parameter is not to be enabled, since this could cause the TOE to be
changed from the evaluated version, users are recommended to adhere to its
corporate policies relating to updates and patch management.
Certification Report v1.0 Page 19
10 Acronyms
CCRA Common Criteria Recognition Arrangement
CC Common Criteria for IT Security Evaluation
CCTL Common Criteria Test Laboratory
CSA Cyber Security Agency of Singapore
CEM Common Methodology for Information Technology Security Evaluation
cPP Collaborative Protection Profile
EAL Evaluation Assurance Level
ETR Evaluation Technical Report
IT Information Technology
PP Protection Profile
SAR Security Assurance Requirement
SCCS Singapore Common Criteria Scheme
SFR Security Functional Requirement
TOE Target of Evaluation
TSF TOE Security Functionality
SEM Security Event Manager
11 Bibliography
1 SolarWinds Worldwide, LLC. (2022, March 10). SolarWinds SEM Security
Target v0.6.
2 SolarWinds Worldwide, LLC. (2021, July 29). SolarWinds Security Event
Manager Installation Guide v2019.4.
3 SolarWinds Worldwide, LLC. (2021, July 29). SolarWinds Security Event
Manager Administrator Guide v2019.4.
4 SolarWinds Worldwide, LLC. (2020, Feburary 25). SolarWinds Security Event
Manager Getting Started Guide v2019.4.
5 SolarWinds Worldwide, LLC. (2022, August 3). SolarWinds Security Event
Manager Common Criteria Supplement v1.9
6 Common Criteria Maintenance Board (CCMB). (2017). Common Criteria for
Information Technology Security Evaluation - Part 1: Introduction and general
model [Document Number CCMB-2017-04-001]. Version 3.1 Revision 5.
7 Common Criteria Maintenance Board (CCMB). (2017). Common Criteria for
Information technology Security Evaluation - Part 2: Security functional
components [Document Number CCMB-2017-04-002], Version 3.1 Revision 5.
Certification Report v1.0 Page 20
8 Common Criteria Maintenance Board (CCMB). (2017). Common Criteria for
Information Technology Security Evaluation - Part 3: Security assurance
components [Document Number CCMB-2017-04-003], Version 3.1 Revision 5.
9 Common Criteria Maintenance Board (CCMB). (2017). Common Methodology
for Information Technology Security Evaluation - Evaluation Methodology
[Document Number CCMB-2017-04-004], Version 3.1 Revision 5.
10 Cyber Security Agency of Singapore (CSA). (2018, June). SCCS
Publication 1 - Overview of SCCS, Version 5.0.
11 Cyber Security Agency of Singapore (CSA). (2018, June). SCCS
Publication 2 - Requirements for CCTL, Version 5.0.
12 Cyber Security Agency of Singapore (CSA). (2018, June). SCCS
Publication 3 - Evaluation and Certification, Version 5.0