Three major security vulnerabilities impacting SolarWinds products have recently been discovered. According to cybersecurity experts, the most severe flaw could be exploited to achieve remote code execution with escalated privileges.
Insights from a technical analysis published by cybersecurity firm, Trustwave revealed that two of the weaknesses (CVE-2021-25274 and CVE-2021-25275) are found in the SolarWinds Orion Platform, while a third separate flaw (CVE-2021-25276) has been identified in the company’s Serv-U FTP server for Windows.
Reports indicate that none of the three vulnerabilities has been leveraged in any “in the wild” attacks or during the unprecedented supply chain attack targeting the Orion Platform that occurred last December.
SolarWind learned of the vulnerabilities in Orion and Serv-U FTP on December 30, 2020, and January 4, 2021, respectively, following which the company resolved the issues on January 22 and January 25.
To mitigate the risks associated with the weaknesses, experts strongly recommend that users install the latest versions of the Orion Platform and Serv-U FTP (15.2.2 Hotfix 1). Trustwave has announced its intention to release a proof-of-concept (PoC) code next week on February 9.
Complete Control Over Orion
Improper use of Microsoft Messaging Queue (MSMQ) is the chief vulnerability uncovered by Trustwave. MSMQ is used heavily by the SolarWinds Orion Collector Service, allowing unauthenticated users to send messages to such queues over TCP port 1801 and eventually attain RCE by chaining it with another unsafe deserialization issue in the code that handles incoming messages.
To tackle this flaw, Solarwind released a patch (Orion Platform 2020.2.4) that addresses the bug with a digital signature validation step performed on arrived messages to ensure that unsigned messages are not processed further. However, it should be noted that the MSMQ is still unauthenticated and allows anyone to send messages to it says Martin Rakhmanov, Trust researcher.
The second vulnerability, also identified in the Orion Platform, involves the insecure manner in which credentials of the backend database (named “SOLARWINDS_ORION”) are stored in a configuration file. This flaw could result in a local, unprivileged user taking complete control over the database, or theft of information by malicious actors.
Lastly, a flaw in SolarWinds Serv-U FTP Server 15.2.1 for Windows could facilitate a local or remote desktop attack. The attacker can log into the system to drop a file that defines a new admin user with full access to the C:\ drive, which can then be leveraged by logging in as that user via FTP to read or replace any file on the drive.
U.S. Department of Agriculture Targeted Using New SolarWinds Flaw
Reports suggest that the suspected Chinese threat actors exploited one of the newly discovered flaws in SolidWind’s software to breach the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture.
In December, Microsoft said that hackers might be taking advantage of an authentication bypass vulnerability in the Orion API to execute arbitrary commands and drop a persistent backdoor called Supernova on target systems.
SolarWinds releases a patch to address the flaw on December 26, 2020.
Since nearly 30% of the private-sector and government agencies involved in this intrusion campaign had no direct connection to SolarWinds, it means that attackers are using a variety of ways to breach target environments.
Also, the campaigns are clear indicators that advanced persistent threat (APT) groups are increasingly focusing on the software supply chain as a channel to strike high-value targets such as corporations and government agencies.