SolarWinds Patches Vulnerabilities That Could Allow Full System Control (arstechnica.com) 15
An anonymous reader quotes a report from Ars Technica: SolarWinds, the previously little-known company whose network-monitoring tool Orion was a primary vector for one of the most serious breaches in US history, has pushed out fixes for three severe vulnerabilities. Martin Rakhmanov, a researcher with Trustwave SpiderLabs, said in a blog post on Wednesday that he began analyzing SolarWinds products shortly after FireEye and Microsoft reported that hackers had taken control of SolarWinds' software development system and used it to distribute backdoored updates to Orion customers. It didn't take long for him to find three vulnerabilities, two in Orion and a third in a product known as the Serv-U FTP for Windows. There's no evidence any of the vulnerabilities have been exploited in the wild.
The most serious flaw allows unprivileged users to remotely execute code that takes complete control of the underlying operating system. Tracked as CVE-2021-25274 the vulnerability stems from Orion's use of the Microsoft Message Queue, a tool that has existed for more than 20 years but is no longer installed by default on Windows machines. [...] The second Orion vulnerability, tracked as CVE-2021-25275, is the result of Orion storing database credentials in an insecure manner. Specifically, Orion keeps the credentials in a file that's readable by unprivileged users. Rakhmanov facetiously called this "Database Credentials for Everyone." While the files cryptographically protect the passwords, the researcher was able to find code that converts the password to plaintext. The result: anyone who can log in to a box locally or through the Remote Desktop Protocol can gain the credentials for the SolarWindsOrionDatabaseUser.
The third vulnerability, tracked as CVE-2021-25276, resides in the Serv-U FTP for Windows. The program stores details for each account in a separate file. Those files can be created by any authenticated Windows user. Rakhmanov wrote: "Specifically, anyone who can log in locally or via Remote Desktop can just drop a file that defines a new user, and the Serv-U FTP will automatically pick it up. Next, since we can create any Serv-U FTP user, it makes sense to define an admin account by setting a simple field in the file and then set the home directory to the root of C:\ drive. Now we can log in via FTP and read or replace any file on the C:\ since the FTP server runs as LocalSystem." Fixes for Orion and Serv-U FTP are available here and here.
The most serious flaw allows unprivileged users to remotely execute code that takes complete control of the underlying operating system. Tracked as CVE-2021-25274 the vulnerability stems from Orion's use of the Microsoft Message Queue, a tool that has existed for more than 20 years but is no longer installed by default on Windows machines. [...] The second Orion vulnerability, tracked as CVE-2021-25275, is the result of Orion storing database credentials in an insecure manner. Specifically, Orion keeps the credentials in a file that's readable by unprivileged users. Rakhmanov facetiously called this "Database Credentials for Everyone." While the files cryptographically protect the passwords, the researcher was able to find code that converts the password to plaintext. The result: anyone who can log in to a box locally or through the Remote Desktop Protocol can gain the credentials for the SolarWindsOrionDatabaseUser.
The third vulnerability, tracked as CVE-2021-25276, resides in the Serv-U FTP for Windows. The program stores details for each account in a separate file. Those files can be created by any authenticated Windows user. Rakhmanov wrote: "Specifically, anyone who can log in locally or via Remote Desktop can just drop a file that defines a new user, and the Serv-U FTP will automatically pick it up. Next, since we can create any Serv-U FTP user, it makes sense to define an admin account by setting a simple field in the file and then set the home directory to the root of C:\ drive. Now we can log in via FTP and read or replace any file on the C:\ since the FTP server runs as LocalSystem." Fixes for Orion and Serv-U FTP are available here and here.
Comment removed (Score:4, Insightful)
WTF? This is not editoring (Score:1)
I'm going to cancel my membership, this is not "reporting".
This is blind clickbait,
So sad. /. is no more..
Re: (Score:2)
A good question here is "who still uses SolarWinds, and of those people who still use it, who trust the software to not have been compromised"?
Re: (Score:2)
Re: (Score:2)
It's actually pretty standard for a company having massive growing pains as SolarWinds did. They hit a market niche that was in massive demand, and they needed to grow fast.
And that means cutting corners in everything from employee training to process auditing.
Reputation is (Score:2)
Re: (Score:3)
You mean like what happened to Equifax? [gq.com] Equifax stock is higher than ever after a horrible, very publicized security breach, and no one even remembers it anymore.
Re: (Score:2)
Re: (Score:2)
Yeah, they lost a class action lawsuit and still didn't have to pay everyone.
Are you sure? (Score:3)
Are you sure you want to apply any more SolarWinds patches? Just uninstall and get rid of this software already. It's caused enough damage.
Re: (Score:2)
Is uninstall good enough? I'm thinking wipe and start over, but don't use SW this time.
What (Score:2)
previously little-known company
They've been a pretty well known player in the network industry for quite some time.
Solarwinds? (Score:1)
people still use that diseased crap?
Don't use Windows with Serv-U (Score:2)
The Serv-U product runs on Linux because SolarWinds acquired the product from RhinoSoft
It is a good product that we use in our org. However, we have always run it on Linux in a DMZ with SELinux enabled.