SolarWinds Bug Allows for Remote-Code Execution

Author: Melodie Foster

Date: 3rd February 2021

Researchers have disclosed three severe vulnerabilities, one of which could have led to a remote code execution (RCE) with elevated privileges which impacts SolarWinds products. Two flaws were identified in the SolarWinds Orion Platform, while a third was found in the company’s Serv-U FTP server for Windows.

The most severe vulnerability stems from improper use of Microsoft Messaging Queue by allowing unauthenticated users to send messages over TCP port 1801 to these queues. This could eventually lead an attacker to attaining RCE by attaching it with another deserialization issue in the code which handles incoming messages.

The second vulnerability stems from credentials of the backend database being stored in an insecure manner, this can result in a local, unprivileged user taking complete control over the database. This could result in the attacker stealing information or adding new admin-level users that can be used inside SolarWinds Orion products.

The final flaw found could allow an authenticated user to drop a file that could define a new admin user. This could have been leveraged by logging in as the new admin user via FTP and would be able to read and replace any file on the drive.

While none of these three flaws have been exploited, it is still recommended to upgrade to Orion Platform version 2020.2.4 and Serv-U FTP 15.2.2 Hotfix 1 to mitigate the risks.[1]

[1] https://thehackernews.com/2021/02/3-new-severe-security-vulnerabilities.html

Other resources

Cyberfort Colocation Services

Cyberfort has invested heavily in secure infrastructure, making us the perfect colocation service provider to host your mission-critical, sensitive and regulated data.
Find out more >

What can Cyberfort do for you?

Check out our factsheets for detailed information on the matrix of cybersecurity products and services we offer to protect your business.
Find out more >

Cyberfort Deep Dives

Cyberfort’s cybersecurity consultants explore issues in cyber threat intelligence, incident planning and data security. Read our whitepapers to help make decisions that benefit your business.
Find out more >

Cookie Name	Expiration Time	Description
_ga	2 years	Used to distinguish users.
_gid	24 hours	Used to distinguish users.
_gat	1 minute	Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_<property-id>.

_gac_<property-id>	90 days	Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out.
__hstc	13 months	The main cookie for tracking visitors.
hubspotutk	13 months	This cookie keeps track of a visitor's identity. It is passed to HubSpot on form submission and used when deduplicating contacts.
__hssc	30 minutes	This cookie keeps track of sessions.
__hssrc	End of session	Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser.

SolarWinds Bug Allows for Remote-Code Execution

Author: Melodie Foster

Date: 3rd February 2021

Other resources

Cyberfort Colocation Services

What can Cyberfort do for you?

Cyberfort Deep Dives

Recent Posts

Recent Comments

Archives

Categories

Meta