Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security IT

CISA Updates SolarWinds Guidance, Tells US Govt Agencies To Update Right Away (zdnet.com) 27

The US Cybersecurity and Infrastructure Security Agency has updated its official guidance for dealing with the fallout from the SolarWinds supply chain attack. From a report: In an update posted late last night, CISA said that all US government agencies that still run SolarWinds Orion platforms must update to the latest 2020.2.1HF2 version by the end of the year. Agencies that can't update by that deadline are to take all Orion systems offline, per CISA's original guidance, first issued on December 18. The guidance update comes after security researchers uncovered a new major vulnerability in the SolarWinds Orion app over the Christmas holiday. Tracked as CVE-2020-10148, this vulnerability is an authentication bypass in the Orion API that allows attackers to execute remote code on Orion installations. This vulnerability was being exploited in the wild to install the Supernova malware on servers where the Orion platform was installed, in attacks separate from the SolarWinds supply chain incident.
This discussion has been archived. No new comments can be posted.

CISA Updates SolarWinds Guidance, Tells US Govt Agencies To Update Right Away

Comments Filter:
  • Solarwinds? Orion platforms? Supernova malware? People have really stepped up their branding game lately.
    • Solarwinds? Orion platforms? Supernova malware? People have really stepped up their branding game lately.

      Yeah, you're right. Hell of a lot better than a million Googles to Tweet someone's Insta-post. And who could forget that "nationalist" marketing era, when America was OnLine.

      I'm thinking superhero names for the next batch of products. After all, marketing a "spidey sense" with your IDS and an Iron (Man) Firewall, can't be bad...

      • Oh snap, man, you sure compuserved `em good!

        You're right about the superhero names. I was going to call my green blockchain electric smart generator startup "Water and Power," but I knew Jet Girl would show up to roast me if that happened.

        So I'm gonna call it Green Peek-an-Chew.

    • SolarWinds is at least 20 years old.

      They used to produce software "Viagra" to compensate for the fact that you started your project with something Micro and Soft and then realized that you need network capabilities - tftp, bootp, etc.

      Their branch out into NMS is fairly recent (In fact, I did not know they did when the hack was announced). They have brought into NMS world both some "Micro and Soft" competence and "total information awareness" as demanded by their USA and NATO military and government agen

      • Brilliant prose. In simple words: it is deeply wrong for system monitoring software to run as root.

      • What if Windows for Warships is actually really secure, but comes with built in honeypots that look like Windows bugs?

        That's the problem with blathering about stuff with secret details. You don't know what those details are.

      • > Windows for Warships (as used on the new UK aircraft carriers and destroyers)

        That's not exactly a new thing [wired.com]
    • Security space cases. Just part of life in the Windows universe.

    • Ahh, my network is being bombarded by a solar wind, it is stripping away all the firewall settings and creating massive localized radiation of charged particles. And these particles seem oddly attracted to Russia internet servers.

      And if that isn't bad enough, Orion went supernova and took out half the supply chain management software.

      Yeah, great branding. And people complained that Nagios was too naggy. That's nothing compared to a solarwind that stripped you bare.

  • Well force the PHB to come in the office to sign off on the change order

  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Thursday December 31, 2020 @09:38AM (#60881760)
    Comment removed based on user account deletion
  • All the news articles about Microsoft's heroic actions, their insecure OS caused the problem.

  • by jmccue ( 834797 )

    Well, guidance of just taking the system off line with Orion installed is great, a typical Gov response. But that is probably just enough to make Congress happy since they know nothing about IT. That is what most responses consists of these days, do the bare minimum just to make the upper level happy. (same is true in business also)

    From what I read, once they got into your network via Orion, they planted rootkits and such things in other systems. So just removing/upgrading Orion will not do anything if

    • by gtall ( 79522 )

      Yeah, I'm sure that wouldn't have occurred to CISA and the government systems managers. Somehow you believe them as stupid as your post.

    • Indeed. You discovered that the problem is complicated and requires multiple actions, so when one action taken was made public, you knew there couldn't be anything else happening at all.

      If a tree fell in the woods and somebody told you that they heard it, you'd know it didn't make a sound. After all, you didn't hear it.

    • by sjames ( 1099 )

      There are other steps, and they will likely be taking them. The big issue is that it doesn't seem to have occurred to them that the real problem is trying to over-centralize management and granting way too much permission due to a combination of software not being written to behave well with only necessary permission and failure to do the analysis to determine the least privilege that can accomplish the task.

  • 1. Compromise update server.
    2. Demand users install updates.
    3. ???

  • Let's give it up for the security researchers who kept working over holiday break to make sure USG had a good enough reason to patch their shitty systems.

If all else fails, lower your standards.

Working...