Cybersecurity firm Trustwave on Wednesday reported that one of its researchers recently discovered several potentially serious vulnerabilities in products made by Texas-based IT management solutions provider SolarWinds.
SolarWinds was recently targeted in a sophisticated supply chain attack that resulted in thousands of organizations receiving malicious updates for the company’s Orion monitoring product, and a few hundred — ones that presented an interest to the attackers — getting other malware that may have given the hackers deep access into their networks.
Following the disclosure of the attack, Trustwave researchers decided to analyze SolarWinds products based on the Orion framework to see if they contain any vulnerabilities that could expose the company’s customers to attacks. They discovered two vulnerabilities in Orion and one in Serv-U FTP software.
“To the best of Trustwave’s knowledge, none of the vulnerabilities were exploited during the recent SolarWinds attacks or in any ‘in the wild’ attacks,” Trustwave said in a blog post.
The security holes were reported to SolarWinds in late December 2020 and early January 2021. The Orion vulnerabilities were patched on January 25 with the release of version 2020.2.4, and the Serv-U issue is expected to be patched on February 3.
One of the Orion vulnerabilities, tracked as CVE-2021-25275, is related to the exposure of credentials for the backend database. The credentials, discovered by researchers in a configuration file, allow access to the Microsoft SQL Server system, which in turn provides control over the Orion database. Once they can access this database, an attacker could steal information or add new users with administrator privileges.
While exploitation of this vulnerability requires the attacker to have at least limited access to the targeted system, Trustwave researchers also discovered a more serious security hole that can be exploited remotely, without authentication.
This Orion flaw, tracked as CVE-2021-25274, is a deserialization issue and it can be exploited by a remote, unauthenticated attacker to execute arbitrary code on the targeted system with elevated privileges, giving them complete control of the underlying operating system.
The Serv-U vulnerability, identified as CVE-2021-25276, can be exploited by an attacker who has local access to the targeted system — or who has logged in via RDP — to read, write or delete any file on the system.
“Following the recent nation-state attack against an array of American software providers, including SolarWinds, we have been collaborating with our industry partners and government agencies to advance our goal of making SolarWinds the most secure and trusted software company,” SolarWinds said in an emailed statement.
It added, “We have always been committed to working with our customers and other organizations to identify and remediate any vulnerabilities across our product portfolio in a responsible way. Today’s announcement aligns with this process.”
Trustwave says it plans on releasing proof-of-concept (PoC) code for these vulnerabilities only on February 9 in order to give SolarWinds customers more time to install the patches.