Researchers have discovered more vulnerabilities in SolarWinds’ Orion platform, and a news agency says the U.S. suspects hackers from China as well as from Russia exploited holes in Orion to spy on organizations.
In a blog released yesterday morning, Trustwave said it found two new vulnerabilities in the Orion network management platform and one in SolarWinds product called Serv-U FTP for Windows, a server that manages file transfers.
“All three are severe bugs with the most critical one allowing remote code execution with high privileges,” wrote blog author Martin Rakhmanov, who discovered the holes. To the best of Trustwave’s knowledge, he said none of the vulnerabilities were exploited during the recently publicized SolarWinds attacks or in any in the wild attacks. However, given the criticality of these issues, Trustwave recommends affected users patch as soon as possible.
The vulnerabilities are:
- Unauthenticated users can send messages to Orion’s messaging queues over TCP port 1801. It’s no secret. In fact, click on any message in Orion’s Messaging Queuing, and it says, “Queue is unauthenticated. Message senders can bypass the Access Control Settings specified in the security tab.” This is an unsafe deserialization problem. A simple Proof of Concept (PoC) shows remote code execution is possible by remote, unprivileged users through combining those two issues, the blog says. Given that the message processing code runs as a Windows service configured to use a LocalSystem account, an attacker would completely control the underlying operating system.
- After a patch is applied, a digital signature validation step is performed on arrived messages so that messages with no signature or not signed with a pre-installation certificate aren’t processed. On the other hand, the blog says, the Microsoft Message Queue (MSMQ) is still unauthenticated and allows anyone to send messages to it.
- Poorly-secured credentials for Orion’s backend Microsoft SQL Server database. Unprivileged users who can log in to a database properties box locally or via RDP will be able to run decrypting code and get a cleartext password for the Orion database user. The attacker could then connect to SQL Server using the recovered account and have complete control over the Orion database. From there, the blog notes, one can steal information or add a new admin-level user to be used inside SolarWinds Orion products.
- As for Serv-U FTP for Windows, accounts are stored on disk in separate files. Directory access control lists allow complete compromise by any authenticated Windows user. Anyone who can log in locally or via Remote Desktop can drop a file that defines a new user, and the Serv-U FTP will automatically pick it up, the blog says. After that, an admin account could be created.
Trustwave reported all three findings to SolarWinds at the end of December, and patches have been released. Trustwave will release the proof of concept code next week.
The allegation that a group from China also exploited Orion comes from the Reuters news agency. It says sources believe the software flaw exploited by the suspected Chinese group is separate from the one the United States has accused Russian government operatives of using to compromise up to 18,000 SolarWinds customers. This was done by hijacking the company’s Orion network monitoring software.
Reuters stated that SolarWinds told a reporter it was aware of a single customer compromised by the second set of hackers but that it had “not found anything conclusive” to show who was responsible. The company added that the attackers did not gain access to its own internal systems and released an update to fix the bug in December.