{"id":7578,"date":"2020-12-15T21:15:11","date_gmt":"2020-12-16T04:15:11","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7578"},"modified":"2023-04-05T12:41:38","modified_gmt":"2023-04-05T19:41:38","slug":"vulnerability-analysis-solarwinds-orion-network-management","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/vulnerability-analysis-solarwinds-orion-network-management\/","title":{"rendered":"Vulnerability Analysis: SolarWinds Orion Network Management"},"content":{"rendered":"<blockquote>\n<p style=\"text-align: justify;\"><strong><span style=\"font-size: 18px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">The SolarWinds Orion Platform Software is a Network Management tool that is widely used by over 300,000 customers worldwide. Entities like defense, government agencies, software companies, and Fortune 500 organizations use this platform to monitor IT stack from infrastructure to application. SolarWinds confirmed in its <a href=\"https:\/\/www.solarwinds.com\/securityadvisory\">security advisory<\/a> that Orion update versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, have been infected with malware known as SUNBURST\/Solorigate.<\/span><\/span><\/strong><\/p>\n<\/blockquote>\n<p style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Security agencies in the US are in a panic because SolarWinds is a widely used and popular product. Here are a few details that would help you understand the gravity of this breach. <\/span><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Orion is used by the following:<\/span><\/span><\/p>\n<ul dir=\"ltr\" style=\"text-align: justify;\">\n<li role=\"presentation\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">425+ US Fortune 500 companies\u00a0<\/span><\/span><\/li>\n<li role=\"presentation\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Top ten US telecommunication companies<\/span><\/span><\/li>\n<li role=\"presentation\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">All five branches of the US military<\/span><\/span><\/li>\n<li role=\"presentation\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States<\/span><\/span><\/li>\n<li role=\"presentation\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Top five US accounting firms<\/span><\/span><\/li>\n<li role=\"presentation\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Hundreds of universities and colleges worldwide<\/span><\/span><\/li>\n<\/ul>\n<h3 style=\"text-align: justify;\"><span style=\"font-family: verdana,geneva,sans-serif;\">\u200b\u200b\u200b<strong style=\"font-size: 14px;\">Securin&#8217;s Insights and Key findings<\/strong><\/span><\/h3>\n<p dir=\"ltr\" style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">A breach of this magnitude calls for a closer look. Here are a few key points from Securin\u2019s Attack Surface analysis on known vulnerabilities and what has been weaponized to date.<\/span><\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\"><img decoding=\"async\" class=\"aligncenter\" style=\"width: 500px; height: 379px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/blogs\/solarwinds-funnel.png\" alt=\"\" \/><\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">There are 102 vulnerabilities that exist in SolarWinds, out of which 15 are present in the Orion Platform Software.\u00a0<\/span><\/span><\/p>\n<ol dir=\"ltr\" style=\"text-align: justify;\">\n<li role=\"presentation\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">4 CVEs are rated as critical, 1 as high, and 9 as medium.<\/span><\/span><\/li>\n<li role=\"presentation\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">11 are old vulnerabilities ranging from years 2010 to 2019.\u00a0<\/span><\/span><\/li>\n<li role=\"presentation\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\"><a href=\"https:\/\/support.solarwinds.com\/SuccessCenter\/s\/article\/CVE-2019-9546-Orion-Platform-Vulnerability?language=en_US\">CVE-2019-9546<\/a>, a critical Privilege Execution vulnerability, is suspected to be the culprit that allowed this breach. There are <a href=\"https:\/\/www.activecyber.us\/activelabs\/solarwinds-local-privilege-escalation-cve-2019-9546\">well-known exploits<\/a> for this vulnerability.<\/span><\/span><\/li>\n<li role=\"presentation\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Analysis of Common Weakness Enumeration reveals that CWE-79 (Improper Neutralization of Input during Web Page Generation) is popularly used to exploit Orion\u2019s vulnerabilities.<\/span><\/span><\/li>\n<li role=\"presentation\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">We found no publicly associated APT groups and ransomware with these 15 vulnerabilities at the time of writing this analysis.\u00a0<\/span><\/span><\/li>\n<\/ol>\n<h3 style=\"text-align: justify;\"><span style=\"font-family: verdana,geneva,sans-serif;\">\u200b\u200b\u200b<strong style=\"font-size: 14px;\">How Did the Attack Unfold?<\/strong><\/span><\/h3>\n<p dir=\"ltr\" style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">SolarWinds&#8217; security advisory revealed that it was compromised early in 2020, but there is reasonable doubt to surmise that it might have been attacked as early as 2019 when the FTP credentials of SolarWinds were leaked onto GitHub.<\/span><\/span><\/p>\n<p style=\"text-align: justify;\"><img decoding=\"async\" class=\"aligncenter\" style=\"height: 383px; width: 550px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/printscreen1.png\" alt=\"\" \/><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">SolarWinds, however, maintains that the threat actors installed a backdoor to a key library in early 2020. This library was then delivered to select customers through their normal updating process. This led to SolarWinds Orion versions 2019.4 through 2020.2.1 HF1 being potentially affected. As an IT management platform, this backdoor provides a perfect getaway to an attacker who can enable or disable security tools and configurations or prevent patch applications that would mitigate the risk of these vulnerabilities.\u00a0<\/span><\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Here is a MITRE map of how this attack might have unfolded:<\/span><\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\"><img decoding=\"async\" class=\"aligncenter\" style=\"width: 900px; height: 471px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/solarwinds-attack-chain-image_revised.png\" alt=\"\" \/><\/span><\/span><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Our exposure analysis identified 1,687 internet-facing SolarWinds&#8217; products; 699 are from the US, and 56 are from India. Network Management Tools should never be exposed to the internet. Incidentally, Securin warned about six CVEs (CVE-2019-9017, CVE-2019-3980, CVE-2019-3957, CVE-2015-8220, CVE-2013-3249, and CVE-2018-12897) in our <a href=\"https:\/\/cybersecurityworks.com\/cyber-risk-series\/\">Cyber Risk series<\/a> when we researched on potentially vulnerable products that could be breached during the COVID-19 lockdown.\u00a0<\/span><\/span><\/p>\n<p dir=\"ltr\" style=\"text-align: justify;\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">This is a massive attack launched simultaneously at sensitive government agencies with the intent to cripple the country. The attackers have surreptitiously monitored the email communication of several federal agencies and have launched this attack. Here are a few recommendations to keep your organization safe:<\/span><\/span><\/p>\n<ul dir=\"ltr\">\n<li style=\"text-align: justify;\" role=\"presentation\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Patch all vulnerabilities related to SolarWinds.<\/span><\/span><\/li>\n<li style=\"text-align: justify;\" role=\"presentation\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">It is recommended to upgrade to Orion Platform version 2020.2.1 HF 1\u202fas soon as possible.\u00a0<\/span><\/span><\/li>\n<li style=\"text-align: justify;\" role=\"presentation\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Isolate your network from SolarWinds&#8217; servers and restrict the scope of connectivity until further investigation is done.\u00a0<\/span><\/span><\/li>\n<li style=\"text-align: justify;\" role=\"presentation\"><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Consider changing passwords to ensure the security of your environment.\u00a0<\/span><\/span><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>SolarWinds disclosed on Dec 13 that vulnerabilities in their network management tool Orion was used to mount attacks on FireEye and on several Government agencies. CSW analyzed Orion\u2019s 15 Vulnerabilities and has found that CVE-2019-9546 \u2013 with a known critical Privilege Execution Exploit needs immediate remediation along with an upgrade to Orion Platform version 2020.2.1 HF.1.<\/p>\n","protected":false},"author":1,"featured_media":7574,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":""},"categories":[82,80,81],"tags":[341,338,340,337],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7578"}],"collection":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/comments?post=7578"}],"version-history":[{"count":4,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7578\/revisions"}],"predecessor-version":[{"id":15295,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7578\/revisions\/15295"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media\/7574"}],"wp:attachment":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media?parent=7578"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/categories?post=7578"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/tags?post=7578"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}