Researchers say cloud deployments of SolarWinds Orion could put API keys at risk

The fallout from the SolarWinds Orion hack continues with some shareholders filing a class-action lawsuit against executives alleging they were misled about the security of the company, and a warning that the breach could endanger the cloud applications of Orion users.

The caution to cloud users comes from Tel Aviv-based Ermetic Ltd. The firm argued in a blog post that users who deploy a version of the Orion network management platform with an infected update in the cloud could be at risk because it would have privileged access to certain management functions.

There are three risks: Orion databases may store AWS and Azure API keys, Ermetic said, which if accessed could enable an attacker to take over and compromise these accounts. If deployed on AWS or Azure, Orion may also have root API keys, which could enable an attacker to have full admin privileges to the account that Orion is deployed on. Finally, Orion requires access to an identity and access management (IAM) identity, Ermetic argues, which could be compromised.

To mitigate these risks Ermetic recommends organizations that have deployed infected versions of Orion to treat all stored credentials as compromised and rotate them. Cloud security researcher Rob Fuller has released SolarFlare, an open-source tool for generating a full list of the credentials in an Orion database.

If a cloud-based Orion deployment has asked for root API Keys to the AWS/Azure accounts, then a manual review of each identity and resource to determine the extent of exposure is necessary. And to meet the problem that Orion needs access to an IAM identity, verify it has limited permissions only. If you decide to suspend your use of Orion, says Ermtic, remove that identity altogether or, at the very least, revoke its privileges.

Other risks

Organizations around the world that use Orion are still scouring their environments after the discovery last month that a sophisticated hacker had compromised updates to the platform last spring allowing the installation of a backdoor. Of the estimated 33,000 Orion users, 18,000 downloaded the infected updates.

In addition to that compromise, Palo Alto Networks has identified a second vulnerability in Orion.

Meanwhile, SC Magazine reports that some stockholders who bought shares between February 24 and December 15, 2020, have launched a class-action lawsuit in Texas against SolarWinds and some of its top executives. Class actions have to be certified by a judge before going ahead. The claim alleges that while in public documents company said it has incurred “significant expenses to prevent security breaches,” it knew or should have known its update server had “an easily accessible password of ‘solarwinds123’”, and that since the middle of 2020 Orion had a vulnerability.

The allegations have not been proven in a court of law.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now