SolarWinds customers are being urged to apply newly released security patches after the discovery of three previously undisclosed severe vulnerabilities which could allow attackers to abuse the enterprise IT administration tools take control of Windows systems.
The disclosure of the two vulnerabilities in SolarWinds Orion and one in SolarWinds Serv-U FTP comes following December's discovery that SolarWinds had been hacked – likely by a Russian operation – and its software updates compromised in order to distribute malware to 18,000 Orion customers.
The hack was part of a wider campaign against other tech vendors that represents one of the biggest cyber incidents in recent years and it led to cybersecurity researchers at Trustwave to further examine SolarWinds products for further vulnerabilities – and they found three.
The most severe vulnerability (CVE-2021-25275) could allow attackers to exploit a vulnerability in how Orion works with Microsoft Message Queue (MSMQ) to gain access to secured credentials in the backend and gain complete control over the entire Windows sever. This could be used to steal information or add new admin-level users to Orion.
A second vulnerability (CVE-2021-25274) could allow remote, unauthenticated users to run code in a way that allows the complete control of the underlying Windows operating system. This again could lead to unauthorised access to sensitive systems and servers.
The third vulnerability (CVE-2021-25276) related to SolarWinds Serv-U FTP and allows anyone who can login locally– or remotely via RDP – to add an admin account and all the privileges that brings when it comes to access to the network and servers, potentially providing an attacker with access to sensitive information.
"All of these vulnerabilities have the potential of completely compromising the Windows server running valuable software," Karl Sigler, threat intelligence manager at Trustwave told ZDNet.
"Orion isn't like an Office suite, it's used by your network administrator and other people with a lot of privileges and access to valuable data on the network," Sigler said.
Trustwave disclosed their findings to SolarWinds and security patches have been released to close the vulnerabilities and prevent them being exploited.
"Vulnerabilities of varying degrees are common in all software products, but we understand that there is heightened scrutiny on SolarWinds right now. The vulnerabilities announced by Trustwave concerning Orion 2020.2.4 have been addressed via a fix released on Jan 25, 2021. The vulnerabilities concerning Serv-U 115.2.2 will be addressed via a fix released on Feb 3, 2021," a SolarWinds spokesperson told ZDNet.
"We have always been committed to working with our customers and other organizations to identify and remediate any vulnerabilities across our product portfolio in a responsible way. Today's announcement aligns with this process," they added.
There's currently no evidence that cyber attackers have successfully used these vulnerabilities.
"We can never one hundred percent say these haven't been exploited in the wild – but I think we've beaten the bad guys to the punch here. I think we were able to find them before they did and hopefully put patches in place before they learn how to exploit them," said Sigler.
It's therefore recommended that organisations have a strategy to apply the security patches required to protect against the three newly disclosed vulnerabilities as soon as possible.
MORE ON CYBERSECURITY
- SolarWinds: The more we learn, the worse it looks
- SolarWinds attack: Cybersecurity experts share lessons learned and how to protect your business TechRepublic
- These software bugs are years old. But businesses still aren't patching them
- Microsoft says SolarWinds hackers viewed source code CNET
- Cybersecurity: How to get your software patching strategy right and keep the hackers at bay