Three Critical SolarWinds Vulnerabilities Ring the Bell of Change

  • Researchers discovered two critical flaws on SolarWinds Orion and one bug on Serv-U FTP.
  • This throws more fuel in the fire that is burning the American software vendor.
  • The vulnerabilities have been fixed, but the actual PoC will be released a little bit later to allow time for patching.

There’s a growing concern about the risks of closed-source software being deployed in critical environments following the supply chain attacks carried out through the SolarWinds Orion product. While the investigation on the impact and scope of these attacks is ongoing, researchers at Trustwave have found two critical flaws in the SolarWinds Orion platform and another one on SolarWinds Serv-U FTP. Those who have been calling for a shift to open source solutions have just gotten some strong backing for their arguments.

The first Orion flaw is CVE-2021-25274, and it is a remote code execution that is based on a combination of two issues. The proof of concepts describes the worrying ability to send messages to unauthenticated queues over TCP port 1801, without the user having to authenticate either.

The attacker can gain complete control of the underlying operating system as the message processing code runs as a Windows service that is configured to use the LocalSystem account.

Source: Trustwave

The second vulnerability is CVE-2021-25275, and it concerns a database credentials access problem. The researchers found that it’s fairly easy to access the database file on the products installation folder, as the permissions allow all users to open and read it.

While the contents are encrypted, deriving the cleartext password for the SolarWindsOrionDatabaseUser is also easy using a simple utility. From there, a low-level user can connect to the Microsoft SQL Server and take full control of the database.

Source: Trustwave

Finally, there’s CVE-2021-25276, which concerns the Serv-U FTP product for Windows. This bug practically allows users to create admin accounts under their ownership, log in via FTP, and then fiddle with whatever their want on the system disk as LocalSystem. The exploit also works via Remote Desktop, so the consequences are dire.

Source: Trustwave

The Trustwave team found the two Orion flaws and disclosed them to SolarWinds on December 30, 2020, along with the PoC details. The Serv-U FTP bug was reported to the vendor on January 04, 2021.

SolarWinds eventually released the corresponding hotfixes on January 22 (Serv-U FTP) and January 25 (Orion), so the issues have been addressed. To keep your systems safe from the three flaws, upgrade to Orion 2020.2.4 and Serv-U FTP 15.2.2 Hotfix 1.

REVIEW OVERVIEW

Latest

Pinelands Regional School District Announced Data Breach

Pinelands Regional School District concluded an investigation about a data breach they had in March this year.The breach happened using then board...

Banking Trojan Targets 100 Organizations in Brazil

A banking trojan from Latin America was found targeting almost 100 Brazilian organizations and individuals.The malware was first noticed in late August...

The Number of Phishing Emails Impersonating Craigslist Is Growing

Craigslist Gsuite & Microsoft users are being targeted with phishing emails that present a fake user login page.These emails rely on brand...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari