Patches have been released to fix three vulnerabilities SolarWinds products. Two of the flaws affect the SolarWinds Orion platform, and the third affects the Serv-U FTP server for Windows. One of the SolarWinds Orion flaws allows remote code execution with admin privileges and could be exploited by a remote attacker to take full control of the Orion platform. The other vulnerability in the platform could only be exploited by a local attacker.
Martin Rakhmanov of SpiderLabs at Trustwave identified the vulnerabilities and reported them to SolarWinds on December 30, 2020. Patches to fix the flaws were released by SolarWinds on January 22 and January 25. A proof-of-concept exploit has been developed, although it has not been released to give SolarWinds customers time to apply the patch and correct the flaws. The PoC code will be released on February 9, 2021, so it is important for the patches to be applied before that date.
The most severe vulnerability, tracked as CVE-2021-25274, is due to improper use of the Microsoft Messaging Queue (MSMQ), which is extensively used by the SolarWinds Orion Collector Service. Exploiting the flaw would allow an unauthenticated user to send messages to queues over TCP port 1801, which would allow an attacker to remotely execute code. The patch addresses this issue by adding a digital signature validation step when a new message arrives. If a message does not have a valid signature it will no longer be processed.
The second vulnerability, tracked as CVE-2021-25275, concerns insufficient protections for credentials for the Orion backend database. This flaw cannot be exploited remotely to obtain credentials, but they are freely available to local users. The credentials are encrypted, but it was relatively easy for the researcher to find the code to decrypt them. A local attacker would be able to get the credentials and have control over the SolarWinds Orion database, allowing them to steal sensitive data or create users with admin privileges.
The third vulnerability, tracked as CVE-2021-25276, affects SolarWinds Serv-U FTP Server. The flaw would allow an attacker to login to the system locally or via a Remote Desktop session and deliver a file that would create a new admin user that has full access to the c:\ drive. An attacker could then login to that account via FTP and read or replace any file on the drive.