An employee of Trustwave has discovered three security in products of Solarwind’s products. Two of them, including the dangerous, remote, affect the Orion platform; Another is in the FTP server software SERV-U FTP. Attackers were able to abuse the Orion Lawy to exit any code from afar (CVE-2021-25274) to access databases or to add new users to Admin’s rights (CVE-2021-25275). The SERV-U FTP-LUCKE CVE-2021-25276 allows the application of Admin accounts for the FTP software and the full access to files that are previously.
In addition, another critical safety chuck was eliminated from the Orion platform, which was reported by the Zero Day Initiative (ZDI) to Solarwinds. In the release notes for the secured Orion version it becomes as "Improper Access Control Privilege Escalation" described; Further information or even a CVE ID should be missing so far.
The three Orion-Licken were in version 2020.2.4 of the Orion platform closed. Servu FTP 15.2.2 Hotfix 1 eliminates the security problem from SERV-U FTP.
Prehistory Proof-of-Concept Environment
What makes the lukkefund particularly important and the most important importing of the available updates is the fact that the Orion platform was abused in the highest year as an inventory of the network of numerous coarse companies and organizations worldwide last year. For this purpose, attackers had gained access to Orion’s software build system early 2020 to malware code ("Sunburst") to inject in orion updates. He then had a backdoor installed on compromised systems and other malicious code the TUR is open. We addressed the advances in several reports – among other things here:
- Cyber attacks via SolarWinds software
- Burglar squeeze Windows source code and fireeye attack tools
- Further malware of the SolarWinds attack chain discovered
- US Investigator: Massive hacker attack goes far beyond solar winds
In addition, the TRUSTWAVE team has announced, already On the 9th. February proof-of-concept code for the three security swallow discovered by him. This increases the probability of active attacks by means of the code from this point.
Trustwave emphasizes that the three leaching her knowledge has not yet been exploited in the past and so far no publicly available exploit code is known. In particular, they did not play any role in the course of the early attacks on Orion.
Details about the security
The remote orion-lover CVE-2021-25274 fever on a faulty use of the Microsoft Message Queue (MSMQ). The over twenty-year-old technology is hardly used according to the Trustwave researcher on modern Windows systems – and attracted his attention in the course of the analyzes. The LUCKE allows users with normal user privileges the remote code execution with highly possible rights.
The second Orion security chute (CVE-2021-25275) is extended by local users independently of their access rights. Inadequate security mechanisms in storing credentials approvals according to Trustwaves Description The complete supersence of the Orion database.
The safety chucks in SERV-U FTP (CVE-2021-25276) requires local user access (also with arbitrary access rights). Your abuse is created by creating a special file that creates a new, specially configured admin account. This admin, since the FTP program over the LocalSystem-Account runs, full access to all files on drive C:. More detailed information about all three lights provide an entry in the trustwave blog as well as a fact sheet with the most important information.
In contrast, your own advisories (or even more information Via Twitter and Co.) from SolarWinds to the current. Thus, the company remains significantly behind the standards, which have prevailed in recent years with manufacturers. Given the loss of confidence through the compromise last year and the need to reverse a solid image in Security things, this certificate is all the less comprehensible.