Three serious vulnerabilities have been found in SolarWinds products: Two in the Orion User Device Tracker and one in the Serv-U FTP for Windows product. The most severe of these could allow trivial remote code execution with high privileges.
The SolarWinds Orion platform is the network management tool at the heart of the recent espionage attack against several U.S. government agencies, tech companies and other high-profile targets. It allows users to manage devices, software and firmware versioning, applications and so on, and has full visibility into enterprise customer networks.
These fresh vulnerabilities have not been shown to be used in the spy attack, but admins should nonetheless apply patches as soon as possible, according to Martin Rakhmanov, security research manager for SpiderLabs at Trustwave.
Trustwave is not providing specific proof-of-concept (PoC) code until Feb. 9, in order to give SolarWinds users a longer time to patch, he noted in a Wednesday blog posting.
Microsoft Messaging for SolarWinds Orion Takeover
The most critical bug (CVE-2021-25274) does not require local access and allows complete control over SolarWinds Orion remotely without having any credentials at all.
As a part of the platform installation, there is a setup for Microsoft Messaging Queue (MSMQ), which is a two-decade-old technology that is no longer installed by default on modern Windows systems.
“Improper use of MSMQ could allow any remote unprivileged user the ability to execute any arbitrary code in the highest privilege,” according to Trustwave’s advisory, issued on Wednesday.
Rakhmanov said that it’s possible for unauthenticated users to send messages to private queues over TCP port 1801.
“My interest was piqued and I [also] jumped in to look at the code that handles incoming messages,” he explained. “Unfortunately, it turned out to be an unsafe deserialization victim. [This] allows remote code execution by remote, unprivileged users through combining those two issues. Given that the message processing code runs as a Windows service configured to use LocalSystem account, we have complete control of the underlying operating system.”
Info-Stealing from the Orion Database
The second bug (CVE-2021-25275) was also found in the SolarWinds Orion framework. It allows unprivileged users who can log in locally or via Remote Desktop Protocol (RDP) to obtain a cleartext password for the backend database for the Orion platform, called SolarWindsOrionDatabaseUser – and from there set themselves up as an admin to steal information.
“SolarWinds credentials are stored in an insecure manner that could allow any local users, despite privileges, to take complete control over the SOLARWINDS_ORION database,” according to Trustwave.
Permissions are generously granted to all locally authenticated users, Rakhmanov found, and authenticated users can generally read database file content. He ran “a simple grep” (a Unix command used to search files for the occurrence of a string of characters that matches a specified pattern) across the files installed by the product to look for a configuration file, which he located.
Inside the config file were the Orion backend database credentials, albeit encrypted.
“I spent some time finding code that decrypts the password but essentially, it’s a one-liner,” he noted.
Once an unprivileged user runs the decrypting code, they can get a cleartext password for the SolarWindsOrionDatabaseUser.
“The next step is to connect to the Microsoft SQL Server using the recovered account, and at this point, we have complete control over the SOLARWINDS_ORION database,” Rakhmanov explained. “From here, one can steal information or add a new admin-level user to be used inside SolarWinds Orion products.”
Adding Admin Users
The third issue is a SolarWinds Serv-U FTP vulnerability (CVE-2021-25276). The product is used for secure transfer and large file-sharing.
The bug allows local privilege escalation so that an attacker gains the ability to read, write to or delete any file on the system.
“Any local user, regardless of privilege, can create a file that can define a new Serv-U FTP admin account with full access to the C:\ drive,” according to Trustwave. “This account can then be used to log in via FTP and read or replace any file on the drive.”
Rakhmanov discovered that the platform’s directory access control lists allow complete compromise by any authenticated Windows user.
“Specifically, anyone who can log in locally or via Remote Desktop can just drop a file that defines a new user, and the Serv-U FTP will automatically pick it up,” he explained. “Next, since we can create any Serv-U FTP user, it makes sense to define an admin account by setting a simple field in the file and then set the home directory to the root of C:\ drive.”
SolarWinds patches are available, in Orion Platform 2020.2.4 and ServU-FTP 15.2.2 Hotfix 1.
Rakhmanov did issue a caveat on the fix for the CVE-2021-25275 info-stealing bug.
“After the patch is applied, there is a digital signature validation step performed on arrived messages so that messages having no signature or not signed with a per-installation certificate are not further processed,” he explained. “On the other hand, the MSMQ is still unauthenticated and allows anyone to send messages to it.”
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!