SolarWinds has now issued patches for 3 security vulnerabilities in total.
The 3 serious vulnerabilities have been found in SolarWinds products: 2 in the Orion User Device Tracker & 1 in the Serv-U FTP for Windows product. The most severe of these could allow trivial remote code execution with high privileges.
The SolarWinds Orion platform is the network management tool at the heart of the recent espionage attack against several US Govt. agencies, tech companies & other high-profile targets. It allows users to manage devices, software & firmware versioning, applications & so on, & has full visibility into enterprise customer networks.
Spy Attack
The new vulnerabilities have not been shown to be used in the spy attack, but admins should nonetheless apply patches as soon as possible, according to Martin Rakhmanov, Security Research Manager for SpiderLabs at Trustwave.
Trustwave is not providing specific proof-of-concept (PoC) code until Feb. 9, in order to give SolarWinds users a longer time to patch, he noted in a Wed. blog posting.
Microsoft Messaging for SolarWinds Orion Takeover
The most critical bug (CVE-2021-25274) does not require local access & allows complete control over SolarWinds Orion remotely without having any credentials at all.
As a part of the platform installation, there is a setup for Microsoft Messaging Queue (MSMQ), which is a 2-decade-old technology that is no longer installed by default on modern Windows systems.
“Improper use of MSMQ could allow any remote unprivileged user the ability to execute any arbitrary code in the highest privilege,” according to Trustwave’s advisory, issued on Wed.
Unauthenticated Users
Rakhmanov said that it is possible for unauthenticated users to send messages to private queues over TCP port 1801.
“My interest was piqued & I also jumped in to look at the code that handles incoming messages,” he explained.
“Unfortunately, it turned out to be an unsafe deserialisation victim. This allows remote code execution by remote, unprivileged users through combining those 2 issues. Given that the message processing code runs as a Windows service configured to use LocalSystem account, we have complete control of the underlying operating system.”
Info-Stealing
The 2nd bug (CVE-2021-25275) was also found in the SolarWinds Orion framework. It allows unprivileged users who can log in locally or via Remote Desktop Protocol (RDP) to obtain a cleartext password for the backend database for the Orion platform, called SolarWindsOrionDatabaseUser – & from there set themselves up as an admin to steal information.
“SolarWinds credentials are stored in an insecure manner that could allow any local users, despite privileges, to take complete control over the SOLARWINDS_ORION database,” says Trustwave.
Permissions
Permissions are generously granted to all locally authenticated users, Rakhmanov found, & authenticated users can generally read database file content.
He ran “a simple grep” (a Unix command used to search files for the occurrence of a string of characters that matches a specified pattern) across the files installed by the product to look for a configuration file, which he located.
Inside the config file were the Orion backend database credentials, albeit encrypted.
“I spent some time finding code that decrypts the password but essentially, it’s a one-liner,” he noted.
Decrypting Code
Once an unprivileged user runs the decrypting code, they can get a cleartext password for the SolarWindsOrionDatabaseUser.
“The next step is to connect to the Microsoft SQL Server using the recovered account, & at this point, we have complete control over the SOLARWINDS_ORION database,” Rakhmanov explained. “From here, one can steal information or add a new admin-level user to be used inside SolarWinds Orion products.”
New Admin Users
The 3rd issue is a SolarWinds Serv-U FTP vulnerability (CVE-2021-25276). The product is used for secure transfer and large file-sharing.
The bug lets local privilege escalation, so that an attacker gains the ability to read, write to or delete any file on the system.
“Any local user, regardless of privilege, can create a file that can define a new Serv-U FTP admin account with full access to the C:\ drive,” according to Trustwave. “This account can then be used to log in via FTP and read or replace any file on the drive.”
Authenticated
Rakhmanov found that the platform’s directory access control lists allow complete compromise by any authenticated Windows user.
“Specifically, anyone who can log in locally or via Remote Desktop can just drop a file that defines a new user, & the Serv-U FTP will automatically pick it up,” he explained. “Next, since we can create any Serv-U FTP user, it makes sense to define an admin account by setting a simple field in the file & then set the home directory to the root of C:\ drive.”
Digital Signature Validation
SolarWinds patches are available, in Orion Platform 2020.2.4 & ServU-FTP 15.2.2 Hotfix 1.
Rakhmanov did issue a note of caution on the fix for the CVE-2021-25275 info-stealing bug.
“After the patch is applied, there is a digital signature validation step performed on arrived messages so that messages having no signature or not signed with a per-installation certificate are not further processed,” he explained.
“On the other hand, the MSMQ is still unauthenticated & allows anyone to send messages to it.”
https://www.cybernewsgroup.co.uk/virtual-conference-march-2021/
