ID CVE-2021-25274 Type cve Reporter cve@mitre.org Modified 2021-02-08T14:56:00
Description
The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn't set permissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that the Collector Service will process. Additionally, upon processing of such messages, the service deserializes them in insecure manner, allowing remote arbitrary code execution as LocalSystem.
{"id": "CVE-2021-25274", "bulletinFamily": "NVD", "title": "CVE-2021-25274", "description": "The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn't set permissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that the Collector Service will process. Additionally, upon processing of such messages, the service deserializes them in insecure manner, allowing remote arbitrary code execution as LocalSystem.", "published": "2021-02-03T17:15:00", "modified": "2021-02-08T14:56:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25274", "reporter": "cve@mitre.org", "references": ["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities/"], "cvelist": ["CVE-2021-25274"], "type": "cve", "lastseen": "2021-02-09T14:43:32", "edition": 2, "viewCount": 13, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:4D8A45D9-93E7-4267-B52C-96AB82DF5A06"]}, {"type": "nessus", "idList": ["SOLARWINDS_ORION_2019_4_2.NASL", "SOLARWINDS_ORION_2020_2_4.NASL"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:9D9AFD21093A2BAEA68BD964595F69A3"]}, {"type": "thn", "idList": ["THN:A16295D1572D6F721B7A8CC6EB7690FA"]}, {"type": "threatpost", "idList": ["THREATPOST:9347B4A695C8250B35A5455A788D2D99"]}], "modified": "2021-02-09T14:43:32", "rev": 2}, "score": {"value": 4.7, "vector": "NONE", "modified": "2021-02-09T14:43:32", "rev": 2}, "twitter": {"counter": 13, "tweets": [{"link": "https://twitter.com/mubix/status/1358125270503407619", "text": "Awesome analysis of SolarWinds Orion Platform Unauthenticated RCE (CVE-2021-25274) - https://t.co/2sSztmfpJZ?amp=1 regarding the /SpiderLabs blog post:"}, {"link": "https://twitter.com/ipssignatures/status/1358159536255873032", "text": "The vuln CVE-2021-25274 has a tweet created 0 days ago and retweeted 9 times.\n/mubix/status/1358125270503407619\n/hashtag/Smmcv7hpsw7dxg?src=hashtag_click"}, {"link": "https://twitter.com/reconshell/status/1358645017212973057", "text": "CVE-2021-25274 - SolarWinds Orion Platform Unauthenticated RCE\n\n/hashtag/SolarWinds?src=hashtag_click /hashtag/RCE?src=hashtag_click /hashtag/CodeExecution?src=hashtag_click /hashtag/vulnerabilities?src=hashtag_click /hashtag/SecurityResearcher?src=hashtag_click\n/Emrullah_A"}, {"link": "https://twitter.com/ipssignatures/status/1358190234597535750", "text": "The vuln CVE-2021-25274 has a tweet created 0 days ago and retweeted 9 times.\n/mubix/status/1358125270503407619\n/hashtag/Smmcv7hpsw7dxg?src=hashtag_click"}, {"link": "https://twitter.com/ipssignatures/status/1358341737555574791", "text": "I think that the second retweeted(15 times) tweet that contains CVE ID between Feb 6 2021 09:01 UTC and Feb 7 2021 09:00 UTC is:\n/mubix/status/1358125270503407619\nIt has CVE-2021-25274. /hashtag/l24_mmcv7hpsw7dxg?src=hashtag_click"}, {"link": "https://twitter.com/qualys/status/1357399935272972290", "text": "Three critical (RCE with high privileges) vulnerabilities in /hashtag/SolarWinds?src=hashtag_click products. Here's how to detect and patch. (CVE-2021-25274, CVE-2021-25275, CVE-2021-25276) https://t.co/cHV8liGN9e?amp=1"}, {"link": "https://twitter.com/beuchelt/status/1358601950821044225", "text": "Never ending story: \n\n/solarwinds /hashtag/Orion?src=hashtag_click Platform /hashtag/Unauthenticated?src=hashtag_click /hashtag/RCE?src=hashtag_click (CVE-2021-25274) | AttackerKB"}, {"link": "https://twitter.com/ipssignatures/status/1358159535454699521", "text": "I know no IPS that has a protection/signature/rule for the vulnerability CVE-2021-25274.\nThe vuln was published 3 days ago by NIST.\n/search?src=sprv&q=CVE-2021-25274\n/hashtag/Smmcv7hpsw7dxg?src=hashtag_click"}, {"link": "https://twitter.com/ipssignatures/status/1359306593079349249", "text": "It is the first time for me to know a protection/signature/rule for the vulnerability CVE-2021-25274.\n/hashtag/Smmcv7hpsw7dxg?src=hashtag_click"}, {"link": "https://twitter.com/ipssignatures/status/1359306592374693894", "text": "It's new to me that proofpoint has a protection/signature/rule for the vulnerability CVE-2021-25274.\nhttps://t.co/04NxM7VQxd?amp=1\n/search?src=sprv&q=CVE-2021-25274\nThe vuln was published 6 days ago by NIST.\n/hashtag/Smmcv7hpsw7dxg?src=hashtag_click"}], "modified": "2021-02-09T14:43:32"}, "vulnersScore": 4.7}, "cpe": [], "affectedSoftware": [{"cpeName": "solarwinds:orion_platform", "name": "solarwinds orion platform", "operator": "lt", "version": "2020.2.4"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:solarwinds:orion_platform:2020.2.4:*:*:*:*:*:*:*", "versionEndExcluding": "2020.2.4", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities/", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory", "Exploit"], "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities/"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "cpe23": [], "cwe": ["CWE-502"], "scheme": null}
{"attackerkb": [{"lastseen": "2021-02-09T12:19:15", "bulletinFamily": "info", "cvelist": ["CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276"], "description": "The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn\u2019t set permissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that the Collector Service will process. Additionally, upon processing of such messages, the service deserializes them in insecure manner, allowing remote arbitrary code execution as LocalSystem.\n\n \n**Recent assessments:** \n \n**wvu-r7** at February 05, 2021 10:45pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/GuXRxDl2UG/cve-2021-25274#rapid7-analysis>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4\n", "modified": "2021-02-09T00:00:00", "published": "2021-02-03T00:00:00", "id": "AKB:4D8A45D9-93E7-4267-B52C-96AB82DF5A06", "href": "https://attackerkb.com/topics/GuXRxDl2UG/solarwinds-orion-platform-unauthenticated-rce-cve-2021-25274", "type": "attackerkb", "title": "SolarWinds Orion Platform Unauthenticated RCE (CVE-2021-25274)", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-02-12T14:00:50", "description": "The Collector Service in SolarWinds Orion Platform before 2019.4.2 uses MSMQ (Microsoft Message Queue) and doesn't set\npermissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that\nthe Collector Service will process. Additionally, upon processing of such messages, the service deserializes them in\ninsecure manner, allowing remote arbitrary code execution as LocalSystem.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 2, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "title": "SolarWinds Orion Platform < 2019.4.2 Remote Code Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-25274"], "modified": "2021-02-09T00:00:00", "cpe": ["cpe:/a:solarwinds:orion_platform"], "id": "SOLARWINDS_ORION_2019_4_2.NASL", "href": "https://www.tenable.com/plugins/nessus/146309", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146309);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/11\");\n\n script_cve_id(\"CVE-2021-25274\");\n\n script_name(english:\"SolarWinds Orion Platform < 2019.4.2 Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application running on the remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Collector Service in SolarWinds Orion Platform before 2019.4.2 uses MSMQ (Microsoft Message Queue) and doesn't set\npermissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that\nthe Collector Service will process. Additionally, upon processing of such messages, the service deserializes them in\ninsecure manner, allowing remote arbitrary code execution as LocalSystem.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/release_notes/orion_platform_2019-4-2_release_notes.htm#link4\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?413ea028\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to SolarWinds Orion Platform 2019.4.2 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"windows\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-25274\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:solarwinds:orion_platform\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"solarwinds_orion_npm_detect.nasl\", \"solarwinds_orion_installed.nbin\");\n script_require_keys(\"installed_sw/SolarWinds Orion Core\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvcf::solarwinds_orion::initialize();\napp_info = vcf::solarwinds_orion::combined_get_app_info();\n\nconstraints = [\n { 'min_version' : '0.0', 'fixed_version' : '2019.4.2' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-12T14:00:50", "description": "According to its self-reported version number, the version of SolarWinds Orion Platform is prior to 2020.2.4. It is,\ntherefore, affected by multiple vulnerabilities:\n\n - The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and\n doesn't set permissions on its private queues. As a result, remote unauthenticated clients can send messages to\n TCP port 1801 that the Collector Service will process. Additionally, upon processing of such messages, the\n service deserializes them in insecure manner, allowing remote arbitrary code execution as LocalSystem. (CVE-2021-25274)\n\n - SolarWinds Orion Platform before 2020.2.4, as used by various SolarWinds products, installs and uses a SQL\n Server backend, and stores database credentials to access this backend in a file readable by unprivileged\n users. As a result, any user having access to the filesystem can read database login details from that file,\n including the login name and its associated password. Then, the credentials can be used to get database owner access\n to the SWNetPerfMon.DB database. This gives access to the data collected by SolarWinds applications, and\n leads to admin access to the applications by inserting or changing authentication data stored in the Accounts\n table of the database. (CVE-2021-25275)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 2, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "title": "SolarWinds Orion Platform < 2020.2.4 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-25274", "CVE-2021-25275"], "modified": "2021-02-09T00:00:00", "cpe": ["cpe:/a:solarwinds:orion_platform"], "id": "SOLARWINDS_ORION_2020_2_4.NASL", "href": "https://www.tenable.com/plugins/nessus/146310", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146310);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/11\");\n\n script_cve_id(\"CVE-2021-25274\", \"CVE-2021-25275\");\n\n script_name(english:\"SolarWinds Orion Platform < 2020.2.4 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application running on the remote host is affected by Multiple Vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the version of SolarWinds Orion Platform is prior to 2020.2.4. It is,\ntherefore, affected by multiple vulnerabilities:\n\n - The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and\n doesn't set permissions on its private queues. As a result, remote unauthenticated clients can send messages to\n TCP port 1801 that the Collector Service will process. Additionally, upon processing of such messages, the\n service deserializes them in insecure manner, allowing remote arbitrary code execution as LocalSystem. (CVE-2021-25274)\n\n - SolarWinds Orion Platform before 2020.2.4, as used by various SolarWinds products, installs and uses a SQL\n Server backend, and stores database credentials to access this backend in a file readable by unprivileged\n users. As a result, any user having access to the filesystem can read database login details from that file,\n including the login name and its associated password. Then, the credentials can be used to get database owner access\n to the SWNetPerfMon.DB database. This gives access to the data collected by SolarWinds applications, and\n leads to admin access to the applications by inserting or changing authentication data stored in the Accounts\n table of the database. (CVE-2021-25275)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/release_notes/orion_platform_2020-2-4_release_notes.htm\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2a457f40\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to SolarWinds Orion Platform 2020.2.4 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"windows\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-25274\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:solarwinds:orion_platform\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"solarwinds_orion_npm_detect.nasl\", \"solarwinds_orion_installed.nbin\");\n script_require_keys(\"installed_sw/SolarWinds Orion Core\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvcf::solarwinds_orion::initialize();\napp_info = vcf::solarwinds_orion::combined_get_app_info();\n\nconstraints = [\n { 'min_version' : '2020.0', 'fixed_version' : '2020.2.4' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-02-09T16:48:56", "bulletinFamily": "info", "cvelist": ["CVE-2021-25274", "CVE-2021-25275"], "description": "\n\nNot content with the beating it laid down in January, 2021 continues to deliver with an unpatched zero-day exposure in some SonicWall appliances and three moderate-to-critical CVEs in SolarWinds software. We dig into the details below.\n\n## Urgent mitigations required for SonicWall SMA 100 Series appliances\n\nOn Jan. 22, 2021, SonicWall published [an advisory](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001>) and [in-product notification](<https://www.sonicwall.com/support/product-notification/urgent-security-notice-sonicwall-confirms-sma-100-series-10-x-zero-day-vulnerability-feb-3-6-a-m-cst/210122173415410/>) that they had identified a coordinated attack on their internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products.\n\nSpecifically, they identified Secure Mobile Access (SMA) version 10.x running on the following physical SMA 100 appliances running firmware version 10x, as well as the SMA 500v virtual appliance:\n\n * SMA 200\n * SMA 210\n * SMA 400\n * SMA 410\n\nOn Jan. 31, 2021, NCC Group Research & Technology [confirmed and demonstrated exploitability](<https://twitter.com/NCCGroupInfosec/status/1355850304596680705?ref_src=twsrc%5Etfw>) of a possible candidate for the vulnerability and detected indicators that attackers were exploiting this weakness.\n\nOn Feb. 3, 2021, SonicWall [released a patch](<http://www.mysonicwall.com>) to firmware version SMA 10.2.0.5-29sv, which all impacted organizations should apply immediately.\n\nSonicWall has recommended removing all SMA 100 Series appliances for SMA 500v virtual appliances from the internet until a patch is available. If this is not possible, organizations are strongly encouraged to perform the following steps:\n\n * Enable multi-factor authentication. SonicWall has indicated this is a \u201ccritical\u201d step until the patch is available.\n * Reset user password for all SMA 100 appliances.\n * Configure the [web application firewall on the SMA 100 series](<https://www.sonicwall.com/support/knowledge-base/how-to-configure-web-application-firewall-waf-on-the-sma-100-series/210202202221923/>), which has been updated with rules to detect exploitation attempts (SonicWall indicates that this is normally a subscription-based software, but they have automatically provided 60-day complementary licenses to organizations affected by this vulnerability).\n\nIf it\u2019s not possible to perform these steps, SonicWall recommends that organizations downgrade their SMA 100 Series appliances to firmware version 9.x. They do note that this will remove all settings and that the devices will need to be reconfigured from scratch.\n\n## Urgent patching required for SolarWinds Orion and Serv-U FTP products \n\n\nOn Feb. 3, 2021, Trustwave published a [blog post](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities/>) providing details on two vulnerabilities in the SolarWinds Orion platform and a single vulnerability in the SolarWinds Serv-U FTP server for Windows.\n\nThe identified Orion platform weaknesses include:\n\n * `CVE-2021-25274`: Trustwave discovered that improper/malicious use of Microsoft Message Queue (MSMQ) could allow any remote, unprivileged attacker to execute arbitrary code in the highest privilege.\n * `CVE-2021-25275`: Trustwave discovered that credentials are stored insecurely, allowing any local user to take complete control over the `SOLARWINDS_ORION` database. This could lead to further information theft, and also enables attackers to add new admin-level users to all SolarWinds Orion platform products.\n\nThe identified SolarWinds Serv-U FTP server for Windows weakness enables any local user to create a file that can define a new Serv-U FTP admin account with full access to the C:\\ drive, which will then give them **access or replace any directory or file on the server**.\n\nTrustwave indicated they have private, proof-of-concept code that will be published on Feb. 9, 2021.\n\nSolarWinds Orion Platform users can upgrade to version [2020.2.4](<https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/release_notes/orion_platform_2020-2-4_release_notes.htm>). SolarWinds ServU-FTP users can upgrade to version [15.2.2 Hotfix 1](<https://downloads.solarwinds.com/solarwinds/Release/HotFix/Serv-U-15.2.2-Hotfix-1.zip>).\n\nRapid7 vulnerability researchers have identified that after the Orion Platform patch is applied, there is a digital signature validation step performed on arrived messages so that messages having no signature or not signed with a per-installation certificate are not further processed. On the other hand, the MSMQ is still unauthenticated and allows anyone to send messages to it.\n\n## Rapid7 response\n\nRapid7 Labs is keeping a watchful eye on [Project Heisenberg](<https://www.rapid7.com/research/project-heisenberg/>) for indications of widespread inventory scans (attackers looking for potentially vulnerable systems) and will provide updates, as warranted, on any new developments.\n\n[InsightVM](<https://www.rapid7.com/products/insightvm/>) and Nexpose customers can assess their exposure to these CVEs with remote vulnerability checks. \n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "modified": "2021-02-03T23:33:40", "published": "2021-02-03T23:33:40", "id": "RAPID7BLOG:9D9AFD21093A2BAEA68BD964595F69A3", "href": "https://blog.rapid7.com/2021/02/03/sonicwall-snwlid-2021-0001-zero-day-and-solarwinds-2021-cve-trifecta-what-you-need-to-know/", "type": "rapid7blog", "title": "SonicWall SNWLID-2021-0001 Zero-Day and SolarWinds\u2019 2021 CVE Trifecta: What You Need to Know", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-02-03T22:38:15", "bulletinFamily": "info", "cvelist": ["CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276"], "description": "Three serious vulnerabilities have been found in SolarWinds products: Two in the Orion User Device Tracker and one in the Serv-U FTP for Windows product. The most severe of these could allow trivial remote code execution with high privileges.\n\nThe SolarWinds Orion platform is the network management tool at the heart of [the recent espionage attack](<https://threatpost.com/mimecast-solarwinds-hack-security-vendor-victims/163431/>) against several U.S. government agencies, tech companies and other high-profile targets. It allows users to manage devices, software and firmware versioning, applications and so on, and has full visibility into enterprise customer networks.\n\nThese fresh vulnerabilities have not been shown to be used in the spy attack, but admins should nonetheless apply patches as soon as possible, according to Martin Rakhmanov, security research manager for SpiderLabs at Trustwave.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nTrustwave is not providing specific proof-of-concept (PoC) code until Feb. 9, in order to give SolarWinds users a longer time to patch, he noted in a Wednesday blog posting.\n\n## **Microsoft Messaging for SolarWinds Orion Takeover**\n\nThe most critical bug (CVE-2021-25274) does not require local access and allows complete control over SolarWinds Orion remotely without having any credentials at all.\n\nAs a part of the platform installation, there is a setup for Microsoft Messaging Queue (MSMQ), which is a two-decade-old technology that is no longer installed by default on modern Windows systems.\n\n\u201cImproper use of MSMQ could allow any remote unprivileged user the ability to execute any arbitrary code in the highest privilege,\u201d according to [Trustwave\u2019s advisory](<https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=28389>), issued on Wednesday.\n\nRakhmanov said that it\u2019s possible for unauthenticated users to send messages to private queues over TCP port 1801.\n\n\u201cMy interest was piqued and I [also] jumped in to look at the code that handles incoming messages,\u201d he explained. \u201cUnfortunately, it turned out to be an unsafe deserialization victim. [This] allows remote code execution by remote, unprivileged users through combining those two issues. Given that the message processing code runs as a Windows service configured to use LocalSystem account, we have complete control of the underlying operating system.\u201d\n\n## **Info-Stealing from the Orion Database**\n\nThe second bug (CVE-2021-25275) was also found in the SolarWinds Orion framework. It allows unprivileged users who can log in locally or via Remote Desktop Protocol (RDP) to obtain a cleartext password for the backend database for the Orion platform, called SolarWindsOrionDatabaseUser \u2013 and from there set themselves up as an admin to steal information.\n\n\u201cSolarWinds credentials are stored in an insecure manner that could allow any local users, despite privileges, to take complete control over the SOLARWINDS_ORION database,\u201d according to Trustwave.\n\nPermissions are generously granted to all locally authenticated users, Rakhmanov found, and authenticated users can generally read database file content. He ran \u201ca simple grep\u201d (a Unix command used to search files for the occurrence of a string of characters that matches a specified pattern) across the files installed by the product to look for a configuration file, which he located.\n\nInside the config file were the Orion backend database credentials, albeit encrypted.\n\n\u201cI spent some time finding code that decrypts the password but essentially, it\u2019s a one-liner,\u201d he noted.\n\nOnce an unprivileged user runs the decrypting code, they can get a cleartext password for the SolarWindsOrionDatabaseUser.\n\n\u201cThe next step is to connect to the Microsoft SQL Server using the recovered account, and at this point, we have complete control over the SOLARWINDS_ORION database,\u201d Rakhmanov explained. \u201cFrom here, one can steal information or add a new admin-level user to be used inside SolarWinds Orion products.\u201d\n\n## **Adding Admin Users**\n\nThe third issue is a SolarWinds Serv-U FTP vulnerability (CVE-2021-25276). The product is used for secure transfer and large file-sharing.\n\nThe bug allows local privilege escalation so that an attacker gains the ability to read, write to or delete any file on the system.\n\n\u201cAny local user, regardless of privilege, can create a file that can define a new Serv-U FTP admin account with full access to the C:\\ drive,\u201d according to Trustwave. \u201cThis account can then be used to log in via FTP and read or replace any file on the drive.\u201d\n\nRakhmanov discovered that the platform\u2019s directory access control lists allow complete compromise by any authenticated Windows user.\n\n\u201cSpecifically, anyone who can log in locally or via Remote Desktop can just drop a file that defines a new user, and the Serv-U FTP will automatically pick it up,\u201d he explained. \u201cNext, since we can create any Serv-U FTP user, it makes sense to define an admin account by setting a simple field in the file and then set the home directory to the root of C:\\ drive.\u201d\n\nSolarWinds patches are available, in Orion Platform 2020.2.4 and ServU-FTP 15.2.2 Hotfix 1.\n\nRakhmanov did issue a caveat on the fix for the CVE-2021-25275 info-stealing bug.\n\n\u201cAfter the patch is applied, there is a digital signature validation step performed on arrived messages so that messages having no signature or not signed with a per-installation certificate are not further processed,\u201d he explained. \u201cOn the other hand, the MSMQ is still unauthenticated and allows anyone to send messages to it.\u201d\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) _**Healthcare Security Woes Balloon in a Covid-Era World**_**, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "modified": "2021-02-03T11:00:21", "published": "2021-02-03T11:00:21", "id": "THREATPOST:9347B4A695C8250B35A5455A788D2D99", "href": "https://threatpost.com/solarwinds-orion-bug-remote-code-execution/163618/", "type": "threatpost", "title": "SolarWinds Orion Bug Allows Easy Remote-Code Execution and Takeover", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2021-02-05T06:28:09", "bulletinFamily": "info", "cvelist": ["CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276"], "description": "[](<https://thehackernews.com/images/-Z2pOVuMPPo4/YBqI9jJR7DI/AAAAAAAABqs/gEmdlXvL7Ko6f_bSYxm6gB5dzNGt0EtawCLcBGAsYHQ/s0/solarwinds.jpg>)\n\nCybersecurity researchers on Wednesday disclosed three severe security vulnerabilities impacting SolarWinds products, the most severe of which could have been exploited to achieve remote code execution with elevated privileges.\n\nTwo of the flaws (CVE-2021-25274 and CVE-2021-25275) were identified in the SolarWinds Orion Platform, while a third separate weakness (CVE-2021-25276) was found in the company's Serv-U FTP server for Windows, [said](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities/>) cybersecurity firm Trustwave in a technical analysis.\n\nNone of the three vulnerabilities are believed to have been exploited in any \"in the wild\" attacks or during the unprecedented [supply chain attack](<https://thehackernews.com/2021/01/heres-how-solarwinds-hackers-stayed.html>) targeting the Orion Platform that came to light last December.\n\n[](<https://go.thn.li/password-auditor> \"password auditor\" )\n\nThe two sets of vulnerabilities in Orion and Serv-U FTP were disclosed to SolarWinds on December 30, 2020, and January 4, 2021, respectively, following which the company resolved the issues on January 22 and January 25.\n\nIt's highly recommended that users install the latest versions of [Orion Platform](<https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/release_notes/orion_platform_2020-2-4_release_notes.htm>) and Serv-U FTP ([15.2.2 Hotfix 1](<https://downloads.solarwinds.com/solarwinds/Release/HotFix/Serv-U-15.2.2-Hotfix-1.zip>)) to mitigate the risks associated with the flaws. Trustwave said it intends to release a proof-of-concept (PoC) code next week on February 9.\n\n### Complete Control Over Orion \n\nChief among the vulnerabilities uncovered by Trustwave includes improper use of Microsoft Messaging Queue ([MSMQ](<https://docs.microsoft.com/en-us/previous-versions/windows/desktop/msmq/ms711472\\(v=vs.85\\)>)), which is used heavily by the SolarWinds Orion Collector Service, thereby allowing unauthenticated users to send messages to such queues over TCP port 1801 and eventually attain RCE by chaining it with another unsafe deserialization issue in the code that handles incoming messages.\n\n\"Given that the message processing code runs as a Windows service configured to use LocalSystem account, we have complete control of the underlying operating system,\" Trust researcher Martin Rakhmanov said.\n\nThe patch released by SolarWinds (Orion Platform [2020.2.4](<https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/release_notes/orion_platform_2020-2-4_release_notes.htm>)) addresses the bug with a digital signature validation step that's performed on arrived messages to ensure that unsigned messages are not processed further, but Rakhmanov cautioned that the MSMQ is still unauthenticated and allows anyone to send messages to it.\n\n[](<https://thehackernews.com/images/-F7DwIAuzUyM/YBqJY6UIcaI/AAAAAAAABq0/CHPykJh7QgwHOpRl9smMLqxIIujD4Jd6wCLcBGAsYHQ/s0/hacker.jpg>)\n\nThe second vulnerability, also found in the Orion Platform, concerns the insecure manner in which credentials of the backend database (named \"SOLARWINDS_ORION\") is stored in a configuration file, resulting in a local, unprivileged user take complete control over the database, steal information, or even add a new admin-level user to be used inside SolarWinds Orion products.\n\nLastly, a [flaw](<https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=28396>) in SolarWinds Serv-U FTP Server 15.2.1 for Windows could allow any attacker that can log in to the system locally or via Remote Desktop to drop a file that defines a new admin user with full access to the C:\\ drive, which can then be leveraged by logging in as that user via FTP and read or replace any file on the drive.\n\n### U.S. Department of Agriculture Targeted Using New SolarWinds Flaw\n\nNews of the three vulnerabilities in SolarWinds products comes on the heels of reports that alleged Chinese threat actors exploited a previously undocumented flaw in the company's software to break into the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture.\n\nThis flaw is said to be different from those that were abused by suspected Russian threat operatives to compromise SolarWinds Orion software that was then distributed to as many as 18,000 of its customers, according to [Reuters](<https://www.reuters.com/article/us-cyber-solarwinds-china-exclusive/exclusive-suspected-chinese-hackers-used-solarwinds-bug-to-spy-on-u-s-payroll-agency-sources-idUSKBN2A22K8>).\n\nIn late December, Microsoft [said](<https://thehackernews.com/2020/12/a-second-hacker-group-may-have-also.html>) a second hacker collective might have been abusing the IT infrastructure provider's Orion software to drop a persistent backdoor called Supernova on target systems by taking advantage of an [authentication bypass vulnerability](<https://thehackernews.com/2020/12/a-new-solarwinds-flaw-likely-had-let.html>) in the Orion API to execute arbitrary commands.\n\nSolarWinds [issued a patch](<https://thehackernews.com/2020/12/a-new-solarwinds-flaw-likely-had-let.html>) to address the vulnerability on December 26, 2020.\n\nLast week, Brandon Wales, acting director of the U.S. Cybersecurity and Infrastructure Agency (CISA), [said](<https://www.wsj.com/articles/suspected-russian-hack-extends-far-beyond-solarwinds-software-investigators-say-11611921601>) nearly 30% of the private-sector and government agencies linked to the intrusion campaign had no direct connection to SolarWinds, implying that the attackers used a [variety of ways](<https://thehackernews.com/2021/01/solarwinds-hackers-also-breached.html>) to breach target environments.\n\nThe overlap in the twin espionage efforts notwithstanding, the campaigns are yet another sign that advanced persistent threat (APT) groups are increasingly focusing on the [software supply chain](<https://thehackernews.com/2021/02/a-new-software-supplychain-attack.html>) as a conduit to strike high-value targets such as corporations and government agencies.\n\nThe trust and ubiquity of software such as those from SolarWinds or Microsoft make them a lucrative target for attackers, thus underscoring the need for organizations to be on the lookout for potential dangers stemming from relying on third-party tools to manage their platforms and services.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-02-05T04:43:57", "published": "2021-02-03T11:31:00", "id": "THN:A16295D1572D6F721B7A8CC6EB7690FA", "href": "https://thehackernews.com/2021/02/3-new-severe-security-vulnerabilities.html", "type": "thn", "title": "3 New Severe Security Vulnerabilities Found In SolarWinds Software", "cvss": {"score": 0.0, "vector": "NONE"}}]}
