Security Experts:

New Code Execution Flaws In Solarwinds Orion Platform

Solarwinds has shipped a major security update to fix at least four documented security vulnerabilities, including a pair of bugs that be exploited for remote code execution attacks.

The patches were pushed out Thursday as part of a minor security makeover of the Orion Platform, the same compromised Solarwinds product that was exploited in recent nation-state software supply chain attacks.

The latest Orion Platform 2020.2.5 addresses at least four security flaws, one rated “critical” because of the risk of remote code execution attacks. The company did not release technical details of the vulnerability, which does not yet have a CVE assigned.

Solarwinds described that flaw simply as “RCE via Actions and JSON Deserialization.” The company warned that the critical bug was found via the test alert actions and noted that an Orion authenticated user is required to successfully launch an exploit.

A second bug, rated “high-risk” also brings remote code execution risk, Solarwinds warned. “The vulnerability can be used to achieve authenticated RCE as Administrator. In order to exploit this, an attacker first needs to know the credentials of an unprivileged local account on the Orion Server.”

The update also includes fixes for a “high-risk” stored-XSS vulnerability and a medium-severity issue that could lead to reverse-tabnabbing and open redirect attacks.

Related: SolarWinds Says 18,000 Customers May Have Used Compromised Orion Product

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.