Multiple SolarWinds Vulnerabilities Announced

THE THREAT

On February 3rd, 2021, three new vulnerabilities affecting two SolarWinds products were disclosed. The SolarWinds Orion platform contains a remote code execution vulnerability (CVE-2021-25274) and an unsecured credentials vulnerability (CVE-2021-25275). The SolarWinds Serv-U FTP product contains a privilege escalation vulnerability (CVE-2021-25276). These vulnerabilities have not received criticality ratings at this time.

Security patches have been released to address all three vulnerabilities. It is highly recommended that organizations apply these patches as soon as possible. Proof-of-Concept exploit code will be made publicly available on February 9th, increasing the likelihood of public exploitation.

What we’re doing about it

• eSentire security teams continue to track this topic for additional details and detection opportunities
• MVS will automatically add the relevant checks for the vulnerabilities once plug-ins are made available

What you should do about it

• After performing a business impact review, apply the relevant security patches
  • Serv-U-FTP 15.2.2 Hotfix 1 - 01/22/2021
  • Orion Platform 2020.2.4 - 01/25/2021

Additional information

Vulnerability Details:

• CVE-2021-25274 – Remote code execution vulnerability in the Orion platform. Exploitable by unauthenticated users
• CVE-2021-25275 – Unsecured credentials vulnerability impacting the Orion platform. Exploitation requires a locally authenticated user
  • It is noteworthy that the CVE number assigned to this vulnerability overlaps with a previously identified vulnerability in Dovecot. It is currently unclear why the overlap occurred and if the CVE number will be modified in the future
• CVE-2021-25276 - Privilege escalation vulnerability found in the Serv-U FTP product. Exploitation requires previous authentication

To date, there is no indication that these vulnerabilities have been exploited in the wild. This assessment is likely to change as technical details and proof-of-concept code is released.

In an unrelated release, that the National Finance Center (NFC), a U.S. Department of Agriculture (USDA) federal payroll agency, was breached via a previously unreported vulnerability in the SolarWinds Orion platform. A security patch that addresses this vulnerability was released by SolarWinds in December 2020.

References:

[1] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities/

[2] https://www.reuters.com/article/us-cyber-solarwinds-china/exclusive-suspected-chinese-hackers-used-solarwinds-bug-to-spy-on-u-s-payroll-agency-sources-idUSKBN2A22K8