Executive Summary
On Wednesday, February 3, researchers at security firm TrustWave released a blog post detailing a new remote code execution (RCE) vulnerability in the SolarWinds Orion product and two new local privilege escalation (LPE) vulnerabilities in SolarWinds Orion and SolarWinds Serv-U FTP respectively.
What is notable about this disclosure is that TrustWave researchers announced they will release public proof of concept (PoC) exploit code for all three vulnerabilities on Tuesday, February 9. While disclosure of PoC exploit code helps the security community develop defensive measures, it also provides threat actors with instructions on how to craft attacks that exploit these vulnerabilities.
CVE-2021-25274, the RCE in SolarWinds Orion, poses the greatest risk of the three vulnerabilities. It can be exploited in attacks against organizations where a threat actor has network access that allows them to connect to a server running SolarWinds Orion. SolarWinds Orion best practices state that the product should be installed internally and not be exposed to the public Internet.
Organizations following these best practices significantly reduce their exposure to attacks exploiting this vulnerability, as a threat actor would need access to their internal networks to exploit vulnerable systems.
Patches for all three vulnerabilities have been released by SolarWinds. Additional details are provided in the recommendations section below. Arctic Wolf strongly recommends that customers running SolarWinds Orion and/or SolarWinds Serv-U FTP deploy these patches prior to TrustWave’s public disclosure of the PoC exploit code on Tuesday, February 9.
Arctic Wolf is actively investigating methods to detect and defend against attacks that exploit these vulnerabilities.
Impact
CVE-2021-25274 – RCE in SolarWinds Orion
An attacker that is able to connect to a system running SolarWinds Orion can send specially crafted messages to the SolarWinds Collector Service containing arbitrary code that gets processed by the Microsoft Message Queue (MSMQ) with System-level privileges. The root cause of this vulnerability is a permission issue on the MSMQ requiring no authentication to send it messages and the fact that the SolarWinds Collector Service deserializes these messages in an insecure manner.
A likely attack scenario for this vulnerability is as follows:
- Attacker establishes a foothold in a target organization’s network
- Attacker identifies a server in the target’s internal network running SolarWinds Orion.
- Attacker connects to the server and exploits the vulnerability to remotely execute code with System-level privileges.
CVE-2021-25275 – LPE in SolarWinds Orion
An attacker with pre-established remote or local access to a Windows system running SolarWinds Orion can locate and decrypt a file containing the credentials for the database owner account. The database owner account provides access to the Orion database where data is collected by SolarWinds applications, and also grants admin-level access to connected SolarWinds applications via insert/change of authentication data stored in the “Accounts” table of the database.
CVE-2021-25276 – LPE in SolarWinds Serv-U FTP
For CVE-2021-25276 there are two attack scenarios for an attacker with pre-established remote or local access to a Windows system running SolarWinds Serv-U FTP:
- Leverage access to the %ProgramData%RhinoSoftServ-UUsers<DOMAIN> directory to create a new user profile with administrative privileges.
- Retrieve Argon2 hashed passwords for existing Serv-U FTP accounts and crack them offline in order to assume control of that user account.
Recommendations
- Customers running SolarWinds Orion, should immediately upgrade to Orion 2020.2.4 or the latest stable version.
- Customers running SolarWinds Serv-U, should immediately upgrade to Serv-U v15.2.2 HotFix 1 or the latest stable version.
- Verify that systems running SolarWinds Orion are not accessible from the public internet.
- Review the SolarWinds Orion configuration best practices and verify that the OS, services, and components are secured as per SolarWinds recommendations.
