A handful of “severe” vulnerabilities have been discovered in SolarWinds Orion, the same IT management software that was hijacked by alleged Russian hackers to steal data from multiple government agencies, cybersecurity companies and other tech companies.
One of the flaws could’ve allowed a hacker to gain complete remote control of a targeted SolarWinds system, according to researchers at security company Trustwave. Patches were released on January 25 and customers have been urged to patch immediately.
The warning comes as Reuters reported that SolarWinds weaknesses were used by China-linked hackers to breach another U.S. government agency – the National Finance Center, a federal payroll body inside the U.S. Department of Agriculture. The agency denied that it had been impacted by the SolarWinds hack..
Other organizations affected by the SolarWinds attacks have been more open. Just last week, cybersecurity company Qualys said it was targeted but didn’t have any data stolen, whilst the Virginia State Corporation Commission admitted a breach that it was investigating. After research indicated the Army National Guard was also targeted, the military agency said it “did not have a confirmed compromise as a result of the SolarWinds supply chain compromise.”
New Orion flaws
Trustwave is choosing not to release full details of some of the vulnerabilities to give SolarWinds users more time to patch. But it did note that one of them stemmed from the lack of authentication on messages coming in from servers outside of an Orion user’s organization. Because such messages are run as a Microsoft Windows service, “we have complete control of the underlying operating system,” wrote SpiderLabs Trustwave security research manager Martin Rakhmanov.
MORE FOR YOU
Another of the newly-disclosed flaws in SolarWinds Orion meant it was possible for anyone who’d either gained local or remote access to a server running the tool could easily decrypt passwords for the user database. From there, the hacker can take control of the database, add themselves as an admin and steal the data within.
“These issues could allow an attacker full remote code execution, access to credentials for recovery, and the ability to read, write to or delete any file on the system,” Rakhmanov added.
The issues were disclosed to SolarWinds on 30 December 2020 and the companies worked together to release patches in late January.