Securin’s Analysis of SolarWinds: Top Scanners Miss Several Vulnerabilities

The massive breach of the SolarWinds Network Management product has compromised as many as 18,000 organizations outside of the US Government entities, security agencies, and defense entities. We took a closer look at the weaknesses that exist in other SolarWinds’ products and found that top scanners miss most of the vulnerabilities.

Our Key Findings

102 vulnerabilities exist in SolarWinds products, wherein 34 CVEs are weaponized.
30 CVEs are rated critical; 21 are high.
85 old vulnerabilities exist in SolarWinds, ranging from 2001 to 2019.
CWE-79 (Improper Neutralization of Input During Web Page Generation) seems to be the most exploited weakness, with 18 falling in this category.
The 15 CVEs in the Orion Network Management tool and CVE-2019-9546 are the suspected culprits for this breach.
SolarWinds Orion Network Management tool is also responsible for the FireEye breach when pentesters’ tools were stolen. The Attack SurfaceWhen we analyzed the vulnerabilities and weaponization statistics, we observed the following:Old Vulnerabilities83% of vulnerabilities in SolarWinds are old weaknesses. These vulnerabilities range from 2001 to 2020, presenting two decades of bugs.

SolarWinds Scanner Coverage Analysis

We analyzed the data further by comparing the CVEs with some scanners that could detect SolarWinds’ vulnerabilities.

Out of 102 CVEs, the Tenable scanner detected 37 vulnerabilities.

Qualys was able to find 15 vulnerabilities.
Nexpose detected a single vulnerability.

Internet chatter is abuzz with the fact that this might be a nation-state attack, a fact that we concur with. There have been no demands for ransom, and the threat actors have been patiently biding their time since the Spring of 2020 to mount their attacks. While much conversation is floating around about the possible APT groups that could have been involved in this attack, our investigation has not revealed any association with ransomware or APT groups.

What we see today is probably the most serious cyberattack of all times perpetrated by threat actors not motivated by greed. With state secrets compromised, attacks such as these force us to take a step back and see what we can learn from it.

One of the many lessons from this incident would be that organizations should and must seriously invest in vulnerability management and penetration testing and continuously check their attack surface from infrastructure to code.