More patches for SolarWinds Orion after researchers find flaw allowing low-priv users to execute code, among others • The Register

More patches for SolarWinds Orion after researchers find flaw allowing low-priv users to execute code, among others
Probably not used by last year's US government-busting attackers, though
Gareth Corfield Wed 3 Feb 2021 // 21:25 UTC SHARE
As if that supply chain attack wasn't bad enough, SolarWinds has had to patch its Orion software again after eagle-eyed researchers discovered fresh vulnerabilities – including one that can be exploited to achieve remote code execution.

Ziv Mador, security research veep at Trustwave, the firm that found the flaws, told The Register: "It's very severe, not only because of the ability to run unauthorized code on the Orion platform, but also because anyone on the network, not even someone that has [no] access to that server, can do that."

Detailed in a blog post today, Trustwave discovered that SolarWinds' Orion network management product contained a remote code execution (RCE) flaw (CVE-2021-25274) that hinged on SolarWinds' use of the Microsoft Message Queue technology.

The vulns are not known to have been abused by miscreants who used Orion to infiltrate FireEye and the US government, among others, last year.

"An actor that even doesn't have an ability to log in to those servers – just run somewhere on some computers that can communicate with that server – sends commands to the Orion platform server" and those commands are then executed, explained Mador, adding that they "are not validated".

President Vladimir Putin surrounded by aides and soldiers
US court system ditches electronic filing, goes paper-only for sensitive documents following SolarWinds hack
READ MORE
Microsoft explains Message Queueing in full here and here. Briefly, it's a Windows feature that lets programs send messages to multiple recipients.

"The problem here is that the queues that [SolarWinds] use are completely open," Trustwave's VP told The Register. "So they accept messages from any user. And then they don't even validate who they are, for example, [checking if they're] digitally signed, they just run. So we did an experiment. And we're able, for example, to get shared access to [the Orion host] server by sending a maliciously crafted message to one of those queues."

A second vuln (CVE-2021-25274) gave crooks with local access to the server access to the master user account database for that Orion installation. Poor permissions policies meant any locally authenticated user of the server – possibly one who used the above flaw to create a local low-privileged user account – could read and write to the database.

Mador said: "The password to that database is stored in a file that is accessible to anyone who can log into that server, either an administrator or not. So just a normal, say, domain user who can log into the box and is not an administrator can still access that file and access that password."

The password was encrypted with the standard Windows Data Protection API, which presents no serious barrier to a determined adversary. Having the password lets miscreants create new admin accounts for the Orion installation by simply adding a new entry to the user database, said Mador.

Trustwave also found a third flaw in another SolarWinds product, Serv-U FTP for Windows, allowing an authenticated attacker to create new admin accounts by simply copy-pasting crafted files into a target directory. Serv-U runs with local system privileges.

Full proof-of-concepts are due to be released on February 9, giving SolarWinds' customers time to apply published patches. The vulns were discovered and disclosed in December and patches are available on SolarWinds' website.

SolarWinds previously updated its Orion software to remove a backdoor secretly implanted in the code by suspected Russian hackers, who used the hidden hole to gain entry to selected organizations that deployed the tainted network monitoring suite. China is also believed to have exploited SolarWinds in some way to reach into victims.