3 New Severe Security Vulnerabilities Found in SolarWind Software

Share this post
Share on twitter
Share on facebook
Share on email
Share on linkedin

Three major security vulnerabilities impacting SolarWinds products have recently been discovered. According to cybersecurity experts, the most severe flaw could be exploited to achieve remote code execution with escalated privileges.

Insights from a technical analysis published by cybersecurity firm, Trustwave revealed that two of the weaknesses (CVE-2021-25274 and CVE-2021-25275) are found in the SolarWinds Orion Platform, while a third separate flaw (CVE-2021-25276) has been identified in the company’s Serv-U FTP server for Windows.

Reports indicate that none of the three vulnerabilities has been leveraged in any “in the wild” attacks or during the unprecedented supply chain attack targeting the Orion Platform that occurred last December.

SolarWind learned of the vulnerabilities in Orion and Serv-U FTP on December 30, 2020, and January 4, 2021, respectively, following which the company resolved the issues on January 22 and January 25.

To mitigate the risks associated with the weaknesses, experts strongly recommend that users install the latest versions of the Orion Platform and Serv-U FTP (15.2.2 Hotfix 1). Trustwave has announced its intention to release a proof-of-concept (PoC) code next week on February 9.

Complete Control Over Orion

Improper use of Microsoft Messaging Queue (MSMQ) is the chief vulnerability uncovered by Trustwave. MSMQ is used heavily by the SolarWinds Orion Collector Service, allowing unauthenticated users to send messages to such queues over TCP port 1801 and eventually attain RCE by chaining it with another unsafe deserialization issue in the code that handles incoming messages.

To tackle this flaw, Solarwind released a patch (Orion Platform 2020.2.4) that addresses the bug with a digital signature validation step performed on arrived messages to ensure that unsigned messages are not processed further. However, it should be noted that the MSMQ is still unauthenticated and allows anyone to send messages to it says Martin Rakhmanov, Trust researcher.

The second vulnerability, also identified in the Orion Platform, involves the insecure manner in which credentials of the backend database (named “SOLARWINDS_ORION”) are stored in a configuration file. This flaw could result in a local, unprivileged user taking complete control over the database, or theft of information by malicious actors.

Lastly, a flaw in SolarWinds Serv-U FTP Server 15.2.1 for Windows could facilitate a local or remote desktop attack. The attacker can log into the system to drop a file that defines a new admin user with full access to the C:\ drive, which can then be leveraged by logging in as that user via FTP to read or replace any file on the drive.

U.S. Department of Agriculture Targeted Using New SolarWinds Flaw

Reports suggest that the suspected Chinese threat actors exploited one of the newly discovered flaws in SolidWind’s software to breach the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture.

In December, Microsoft said that hackers might be taking advantage of an authentication bypass vulnerability in the Orion API to execute arbitrary commands and drop a persistent backdoor called Supernova on target systems.

SolarWinds releases a patch to address the flaw on December 26, 2020.

Since nearly 30% of the private-sector and government agencies involved in this intrusion campaign had no direct connection to SolarWinds, it means that attackers are using a variety of ways to breach target environments.

Also, the campaigns are clear indicators that advanced persistent threat (APT) groups are increasingly focusing on the software supply chain as a channel to strike high-value targets such as corporations and government agencies.

 

Share on twitter
Share on facebook
Share on email
Share on linkedin

More Articles by Julie Security

Juliesecurity Logo

Download a sample report

The best way to understanding our value is to see it with your own eyes. A risk assessment report is a powerful tool helping mitigate cybersecurity vulnerabilities.

Welcome to Julie Security

Map your OT and IoT assets. Monitor your networks. Protect your facility from cyber attacks. Do it with the Julie Security Intrusion Detection Platform.

By clicking the “Sign Up” button, you are creating a Julie Security account, and you agree to the
Terms of Use and Privacy Policy.