SolarWinds patches two critical CVEs in Orion platform

Users of SolarWinds’ Orion networking platform – the service at the centre of the high-profile Solorigate/Sunburst attack – are once again being advised to patch their systems urgently following the disclosure of two unrelated critical vulnerabilities.

Discovered by researchers at Trustwave’s SpiderLabs unit, and assigned CVEs 2021-25274 and 2021-25275, the bugs were disclosed to SolarWinds on 30 December 2020 and confirmed in early January 2021. A patch has been available since 25 January, and proof-of-concept code is also available, although it is being held back for a bit longer to give end-user administrators more time to rectify the issues.

At the same time, Trustwave disclosed a third unrelated vulnerability in SolarWinds Serv-U FTP (File Transfer Protocol) for Windows, which has been assigned CVE-2021-25276.

“All three are severe bugs, with the most critical one allowing remote code execution with high privileges,” said Martin Rakhmanov, SpiderLabs security research manager, in a disclosure blog.

“To the best of Trustwave’s knowledge, none of the vulnerabilities were exploited during the recent SolarWinds attacks or in any ‘in the wild’ attacks. However, given the criticality of these issues, we recommend that affected users patch as soon as possible.”

CVE-2021-25274 is the most serious remote code execution (RCE) vulnerability found by Rakhmanov. It enables an unauthenticated user to gain complete control over the target’s SolarWinds installation remotely, without having any compromised credentials available, by chaining exploitation of two different issues that exist in how the system handles incoming messages.

CVE-2021-25275 was found in the Orion-based User Device Tracker and enables an attacker to log into SolarWinds either locally or via Remote Desktop Protocol (RDP) and obtain a plain text password for the organisation’s back-end database, from where they can exfiltrate data or create new accounts with admin rights.

CVE-2021-25276, in the Serv-U FTP product, is a directory access control bug that enables an authenticated user logging in either locally or via RDP to create a new user profile with admin rights.

“Trustwave reported all three findings to SolarWinds, and patches were released in a very timely manner,” said Rakhmanov. “We want to thank SolarWinds for their partnership during the disclosure process. We recommend that administrators upgrade as soon as possible.”

At the time of writing, patches have been available for Orion Platform 2020 2.4 since 25 January, and a patch for Serv-U FTP 115.2.2 follows today (3 February) to coincide with the public disclosure. These can be obtained directly from SolarWinds in the usual manner.

A SolarWinds spokesperson told Computer Weekly: “Vulnerabilities of varying degrees are common in all software products, but we understand that there is heightened scrutiny on SolarWinds right now. The vulnerabilities announced by Trustwave concerning Orion 2020.2.4 have been addressed. 

“We have always been committed to working with our customers and other organisations to identify and remediate any vulnerabilities across our product portfolio in a responsible way. Today’s announcement aligns with this process.”

Besides the ongoing forensic investigation into the December 2020 attack, with which it is being assisted by CrowdStrike and KMPG, SolarWinds is currently working on an overhaul of its product security, as recently detailed by CEO Sudhakar Ramakrishna.

As part of this, it is: deploying new threat protection and threat-hunting tools; analysing its product development environment to identify the root cause of the breach; rechecking its compiled releases to ensure they match the original source code and re-signing all its products with new digital certificates; and reaching out to ethical hackers and penetration testers to better identify any other problems.