Three vulnerabilities were discovered this week impacting SolarWinds again.
The two vulnerabilities (CVE-2021-25274 and CVE-2021-25275) impacted the SolarWinds Orion Platform. The third vulnerability (CVE-2021-25276) affected SolarWinds’ Serv-U FTP server for Windows.
CVE-2021-25274 is still undergoing analysis. Prior to version 2020.2.4, the Collector Service in SolarWinds’ Orion Platform uses MSMQ (Microsoft Message Queue). It doesn’t have permissions on private queues. Therefore, remote unauthenticated clients can send messages to TCP (Transmission Control Protocol) port 1801. It requires handshaking for end-to-end communications. User data can be sent bi-directionally when the connection is set up. The exploitation doesn’t require authentication and can be launched remotely. Currently, there is a lack of technical details or an exploit publicly available. By upgrading to version 2020.2.2 eliminates the vulnerability.
All the information for CVE-2021-25275 is still being analyzed as well. SolarWinds’ Orion Platform, before version 2020.2.4, installs and utilizes SQL Server backend and houses database credentials to access this backend in a file readable to unprivileged users. So, any user having access to the filesystem can read database login details. As a result, credentials can be used to obtain database owner access to the SWNetPerfMon.DB database. Finally, this allows data to be collected by SolarWinds applications. The patch information for this vulnerbality is available here: https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/release_notes/orion_platform_2020-2-4_release_notes.htm
Information about CVE-2021-25276 is also still emerging. Today we know SolarWinds Serv-U before 15.2.2 Hotfix 1 has a directory contains user profile files that can be modified. If an unprivileged Windows user has access to the server’s filesystem, the threat actor can add an FTP user by copying a real profile file to the directory. It is suggested to update to 15.2.2 Hotfix 1 to resolve this vulnerability.
At this time, there is no evidence suggesting these vulnerabilities were exploited by any threat actors, but there certainly aren’t any guarantees. If your organization is using SolarWinds, we recommend patching these listed vulnerabilities or developing a plan to do so immediately.
SpearTip cybersecurity experts have kept tabs on the SolarWinds situation from the start. Our developers created a free tool, Sunscreen SPF 10, to check if the Sunburst Malware has been in your network by monitoring for malicious activity and rooting out compromised versions of SolarWinds. Not only this, ShadowSpear®, can be used to monitor your environment and prevent exploits targeting these vulnerabilities.
The cybersecurity professionals in our Security Operations Center (SOC) are on call 24/7 and will assist with any issues or concerns regarding the SolarWinds breach. If you have questions, call the SOC at 833.997.7327.