Attention ‘provides the sunlight necessary to expose major flaws’, says Trustwave

Multiple new flaws uncovered in SolarWinds software

Security researchers at Trustwave have discovered three new severe security vulnerabilities in the SolarWinds IT monitoring and management platform.

The findings – detailed in a technical blog post published today (February 3) – come just weeks after the discovery that other flaws in the platform were exploited in a high-profile supply chain attack.

RELATED Microsoft downplays threat after admitting SolarWinds attackers accessed source code

The latest security issues discovered by Trustwave include two in the SolarWinds Orion Platform and one in SolarWinds Serv-U FTP for Windows. All three were resolved prior to public disclosure.

The three vulnerabilities were all flagged as ‘severe’ according to Trustwave, with the most critical bug allowing remote code execution with high privileges.

A separate vulnerability could allow any local user, despite privileges, to take complete control over the SOLARWINDS_ORION database.

An adversary could steal information or add a new admin-level user to be used inside SolarWinds Orion products.

‘Full server takeover’

In response to questions from The Daily Swig, Trustwave explained the seriousness and potential impact of the flaws:

These are all severe issues that could result in full server takeover. However, the most critical of the three vulnerabilities affects the Orion implementation of Microsoft Message Queue (CVE-2021-25274).

This would allow any remote, unauthorized user with access to a vulnerable system the ability to run arbitrary code as LocalSystem.

Because the Orion platform is often used for critical network operations to monitor and manage assets, attacks compromising these types of systems often provide the attacker with even more access to critical resources than a typical exploit [would].

Users of affected products should apply patches as soon as possible, Trustwave advises.

Read more of the latest network security news

Asked to comment on whether or not SolarWinds users should be concerned that other serious flaws were discovered within weeks of a high-profile attack, Trustwave was able to offer a somewhat reassuring response.

Karl Sigler, senior security research manager at Trustwave’s SpiderLabs research division, said: “High profile compromises often draw many eyes including those of professional researchers.

“Our hope is that the attention (especially among the ‘good guys’) provides the sunlight necessary to expose major flaws and provide the necessary gap closure to secure the technology.”

The Daily Swig asked Texas-based SolarWinds to comment on the vulnerabilities. It responded with a statement stating that everything was in hand:

Vulnerabilities of varying degrees are common in all software products, but we understand that there is heightened scrutiny on SolarWinds right now. The vulnerabilities announced by Trustwave concerning Orion 2020.2.4 have been addressed via a fix released on Jan 25, 2021. The vulnerabilities concerning Serv-U 115.2.2 have been addressed via fixes released on Jan 21 and 22, 2021.

Following the recent nation-state attack against an array of American software providers, including SolarWinds, we have been collaborating with our industry partners and government agencies to advance our goal of making SolarWinds the most secure and trusted software company.

We have always been committed to working with our customers and other organizations to identify and remediate any vulnerabilities across our product portfolio in a responsible way. Today’s announcement aligns with this process.

Solar storm

APT29 – (AKA ‘Cozy Bear’), a group linked to Russian intelligence agencies – is suspected of compromising the update mechanism of Orion, SolarWinds’ enterprise network management software, and using this as a means to plant malware on the systems of its customers.

The supply chain attacks affected numerous US government organizations as well as technology firms including Microsoft and FireEye before it was discovered last December.

The ultimate goal of the attacks, which forensic work dates as beginning as early as March 2020, was likely cyber-espionage.

DON’T FORGET TO READ Zero-day vulnerability in SonicWall products actively exploited in the wild