Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SolarWinds Product Vulnerabilities Allow Hackers to Take Full Control of Systems

Cybersecurity firm Trustwave on Wednesday reported that one of its researchers recently discovered several potentially serious vulnerabilities in products made by Texas-based IT management solutions provider SolarWinds.

Cybersecurity firm Trustwave on Wednesday reported that one of its researchers recently discovered several potentially serious vulnerabilities in products made by Texas-based IT management solutions provider SolarWinds.

SolarWinds was recently targeted in a sophisticated supply chain attack that resulted in thousands of organizations receiving malicious updates for the company’s Orion monitoring product, and a few hundred — ones that presented an interest to the attackers — getting other malware that may have given the hackers deep access into their networks.

Following the disclosure of the attack, Trustwave researchers decided to analyze SolarWinds products based on the Orion framework to see if they contain any vulnerabilities that could expose the company’s customers to attacks. They discovered two vulnerabilities in Orion and one in Serv-U FTP software.

“To the best of Trustwave’s knowledge, none of the vulnerabilities were exploited during the recent SolarWinds attacks or in any ‘in the wild’ attacks,” Trustwave said in a blog post.

The security holes were reported to SolarWinds in late December 2020 and early January 2021. The Orion vulnerabilities were patched on January 25 with the release of version 2020.2.4, and the Serv-U issue is expected to be patched on February 3.

One of the Orion vulnerabilities, tracked as CVE-2021-25275, is related to the exposure of credentials for the backend database. The credentials, discovered by researchers in a configuration file, allow access to the Microsoft SQL Server system, which in turn provides control over the Orion database. Once they can access this database, an attacker could steal information or add new users with administrator privileges.

While exploitation of this vulnerability requires the attacker to have at least limited access to the targeted system, Trustwave researchers also discovered a more serious security hole that can be exploited remotely, without authentication.

This Orion flaw, tracked as CVE-2021-25274, is a deserialization issue and it can be exploited by a remote, unauthenticated attacker to execute arbitrary code on the targeted system with elevated privileges, giving them complete control of the underlying operating system.

Advertisement. Scroll to continue reading.

The Serv-U vulnerability, identified as CVE-2021-25276, can be exploited by an attacker who has local access to the targeted system — or who has logged in via RDP — to read, write or delete any file on the system.

“Following the recent nation-state attack against an array of American software providers, including SolarWinds, we have been collaborating with our industry partners and government agencies to advance our goal of making SolarWinds the most secure and trusted software company,” SolarWinds said in an emailed statement.

It added, “We have always been committed to working with our customers and other organizations to identify and remediate any vulnerabilities across our product portfolio in a responsible way. Today’s announcement aligns with this process.”

Trustwave says it plans on releasing proof-of-concept (PoC) code for these vulnerabilities only on February 9 in order to give SolarWinds customers more time to install the patches.

Related: China-Linked Hackers Exploited SolarWinds Flaw in U.S. Government Attack: Report

Related: New Zero-Day, Malware Indicate Second Group May Have Targeted SolarWinds

Related: Continuous Updates: Everything You Need to Know About the SolarWinds Attack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.