Severe Security Vulnerabilities found in SolarWinds Software

On Wednesday 3rd February, 2021, cyber security researchers disclosed 3 new vulnerabilities found in SolarWinds products. The most severe of the three could be executed in remote execution mode with elevated privileges. The two sets of vulnerabilities in Orion and Serv-U FTP were disclosed to SolarWinds on December 30, 2020, and January 4, 2021, respectively, following which the company resolved the issues on January 22 and January 25.

Affected CVEs

  1. CVE-2021-25274 and CVE-2021-25275 were identified in the SolarWinds Orion Platform.  
  2. A third separate weakness, CVE-2021-25276 was found in the company's Serv-U FTP server for Windows.

How do the exploitations work?

  1. The most crucial vulnerability includes improper use of Microsoft Messaging Queue (MSMQ), which is used heavily by the SolarWinds Orion Collector Service, thereby allowing unauthenticated users to send messages to such queues over TCP port 1801.
  2. It eventually attains RCE by chaining it with another unsafe deserialization issue in the code that handles incoming messages.
  3. It is still a matter of caution that the MSMQ is still unauthenticated and allows anyone to send messages to it.
  4. The second vulnerability, also found in the Orion Platform, concerns the insecure manner in which credentials of the backend database (named "SOLARWINDS_ORION") is stored in a configuration file, resulting in a local, unprivileged user take complete control over the database, steal information, or even add a new admin-level user to be used inside SolarWinds Orion products.
  5. Lastly, a flaw in SolarWinds Serv-U FTP Server 15.2.1 for Windows could allow any attacker that can log in to the system locally or via Remote Desktop to drop a file that defines a new admin user with full access to the C:\ drive, which can then be leveraged by logging in as that user via FTP and read or replace any file on the drive.

Remediations

  1. It's highly recommended that users install the latest versions of Orion Platform (2020.2.4) and Serv-U FTP (15.2.2 Hotfix 1) to mitigate the risks associated with the flaws.
  2. The proof-of-concept (PoC) code will be released next week on February 9, which is when more remedies may be known.
  3. SolarWinds issued a patch to address the vulnerability on December 26, 2020.
  4. The patch released by SolarWinds (Orion Platform 2020.2.4) addresses the bug with a digital signature validation step that's performed on arrived messages to ensure that unsigned messages are not processed