Security researchers have discovered three “severe” security flaws in IT products made by SolarWinds, the company at the centre of a sprawling cyberattack that compromised up to 18,000 customers.
The most critical SolarWinds vulnerability allows remote code execution with high privileges of the company’s Orion platform, used for IT management.
The other two vulnerabilities are exploitable by someone with local access to take control of the SOLARWINDS_ORION database, which could allow an attacker to steal data or add a new user with admin-level privileges. All three vulnerabilities have now been patched.
Cybersecurity firm Trustwave, which discovered the fresh SolarWinds vulnerabilities, said it would wait until 9 February to provide a proof-of-concept code to give SolarWinds customers more time to implement security updates.
“These issues could allow an attacker full remote code execution, access to credentials for recovery, and the ability to read, write to or delete any file on the system,” said Martin Rakhmanov, the Trustwave researcher who discovered the vulnerabilities.
However, Trustwave said it has seen no evidence that any of the three vulnerabilities have been exploited by bad actors, including during the recent ‘Sunburst’ megahack that comprised US government agencies and private sector firms.
“Severe” vulnerabilities add to SolarWinds’ woes
The first vulnerability, CVE 2021-25274, revolves around unauthenticated private queues in Microsoft Message Queue, which could allow a user without privileges to execute code remotely.
The flaw could give an attacker “complete control of the underlying operating system”, said Rakhmanov.
The second vulnerability, CVE-2021-25275, allows an attacker to decrypt passwords stored in the Orion database. A hacker could then recover an account to with the cracked password to steal information or add a new admin-level user to SolarWinds Orion products.
The third vulnerability, CVE-2021-25276, demonstrated a flaw in SolarWinds’ Serv-U FTP product.
“Specifically, anyone who can log in locally or via Remote Desktop can just drop a file that defines a new user, and the Serv-U FTP will automatically pick it up,” explained Rakhmanov.
Trustwave disclosed the vulnerabilities to SolarWinds on 30 December, with the two companies working together to release patches on 25 January.
The SolarWinds hack first came to light in December when US cybersecurity firm FireEye revealed it had been breached by a “highly sophisticated” attack launched by a nation state with “top-tier offensive capabilities”.
Nation-state hackers injected malicious code into software updates for Orion, which is used by organisations to monitor their computer networks for outages and problems.
Companies that installed the tainted Orion update unwittingly gave the hackers remote access to their networks, allowing them to steal information and possibly lay the groundwork for future attacks.
The US government has formally blamed Russian operatives for the SolarWinds hack. On Tuesday Reuters reported that Chinese hackers independently exploited a different flaw in SolarWinds products last year.