CISA Updates SolarWinds Guidance, Tells US Govt Agencies To Update Right Away (zdnet.com) 27
The US Cybersecurity and Infrastructure Security Agency has updated its official guidance for dealing with the fallout from the SolarWinds supply chain attack. From a report: In an update posted late last night, CISA said that all US government agencies that still run SolarWinds Orion platforms must update to the latest 2020.2.1HF2 version by the end of the year. Agencies that can't update by that deadline are to take all Orion systems offline, per CISA's original guidance, first issued on December 18. The guidance update comes after security researchers uncovered a new major vulnerability in the SolarWinds Orion app over the Christmas holiday. Tracked as CVE-2020-10148, this vulnerability is an authentication bypass in the Orion API that allows attackers to execute remote code on Orion installations. This vulnerability was being exploited in the wild to install the Supernova malware on servers where the Orion platform was installed, in attacks separate from the SolarWinds supply chain incident.
Neat names (Score:1)
Re: (Score:2)
Solarwinds? Orion platforms? Supernova malware? People have really stepped up their branding game lately.
Yeah, you're right. Hell of a lot better than a million Googles to Tweet someone's Insta-post. And who could forget that "nationalist" marketing era, when America was OnLine.
I'm thinking superhero names for the next batch of products. After all, marketing a "spidey sense" with your IDS and an Iron (Man) Firewall, can't be bad...
Re: (Score:2)
Oh snap, man, you sure compuserved `em good!
You're right about the superhero names. I was going to call my green blockchain electric smart generator startup "Water and Power," but I knew Jet Girl would show up to roast me if that happened.
So I'm gonna call it Green Peek-an-Chew.
Re: (Score:2)
They used to produce software "Viagra" to compensate for the fact that you started your project with something Micro and Soft and then realized that you need network capabilities - tftp, bootp, etc.
Their branch out into NMS is fairly recent (In fact, I did not know they did when the hack was announced). They have brought into NMS world both some "Micro and Soft" competence and "total information awareness" as demanded by their USA and NATO military and government agen
Re: (Score:2)
Brilliant prose. In simple words: it is deeply wrong for system monitoring software to run as root.
Re: (Score:2)
What if Windows for Warships is actually really secure, but comes with built in honeypots that look like Windows bugs?
That's the problem with blathering about stuff with secret details. You don't know what those details are.
Re: (Score:2)
That's not exactly a new thing [wired.com]
Re: (Score:2)
Security space cases. Just part of life in the Windows universe.
Re: (Score:2)
Ahh, my network is being bombarded by a solar wind, it is stripping away all the firewall settings and creating massive localized radiation of charged particles. And these particles seem oddly attracted to Russia internet servers.
And if that isn't bad enough, Orion went supernova and took out half the supply chain management software.
Yeah, great branding. And people complained that Nagios was too naggy. That's nothing compared to a solarwind that stripped you bare.
Well force the PHB to come in the office to sign o (Score:2)
Well force the PHB to come in the office to sign off on the change order
Comment removed (Score:5, Interesting)
Re:Solarwinds has always been a turd. (Score:4, Informative)
I don't know about Gartner but it started under Reagan who decided that selling parts of the government functions to Beltway Bandits somehow made things better. Then the Republican Party got in on the act and has been screwing the U.S. Government ever since so they can campaign on the slogan that government doesn't work.
Re:Solarwinds has always been a turd. (Score:5, Informative)
Innovative, agile government (Score:3)
at some point in the US Government, IT went from innovative and agile problem solving to COTS (Common Off The Shelf) technology.
I'm sorry...did you allege there was a time in history when the U.S. Government's information technologies were characterized by "innovative and agile problem solving?"
I must be in the wrong universe.
Re: (Score:2)
there was a time in history when the U.S. Government's information technologies were characterized by "innovative and agile problem solving?"
WWII.
hahaha thank you Microsoft (Score:2)
All the news articles about Microsoft's heroic actions, their insecure OS caused the problem.
Well (Score:1)
Well, guidance of just taking the system off line with Orion installed is great, a typical Gov response. But that is probably just enough to make Congress happy since they know nothing about IT. That is what most responses consists of these days, do the bare minimum just to make the upper level happy. (same is true in business also)
From what I read, once they got into your network via Orion, they planted rootkits and such things in other systems. So just removing/upgrading Orion will not do anything if
Re: (Score:3)
Yeah, I'm sure that wouldn't have occurred to CISA and the government systems managers. Somehow you believe them as stupid as your post.
Re: (Score:2)
Indeed. You discovered that the problem is complicated and requires multiple actions, so when one action taken was made public, you knew there couldn't be anything else happening at all.
If a tree fell in the woods and somebody told you that they heard it, you'd know it didn't make a sound. After all, you didn't hear it.
Re: (Score:2)
There are other steps, and they will likely be taking them. The big issue is that it doesn't seem to have occurred to them that the real problem is trying to over-centralize management and granting way too much permission due to a combination of software not being written to behave well with only necessary permission and failure to do the analysis to determine the least privilege that can accomplish the task.
Updates? (Score:2)
1. Compromise update server.
2. Demand users install updates.
3. ???
The real heroes (Score:1)
Let's give it up for the security researchers who kept working over holiday break to make sure USG had a good enough reason to patch their shitty systems.