The most serious flaw allows unprivileged users to remotely execute code that takes complete control of the underlying operating system. Tracked as CVE-2021-25274 the vulnerability stems from Orion’s use of the Microsoft Message Queue, a tool that has existed for more than 20 years but is no longer installed by default on Windows machines. […] The second Orion vulnerability, tracked as CVE-2021-25275, is the result of Orion storing database credentials in an insecure manner. Specifically, Orion keeps the credentials in a file that’s readable by unprivileged users. Rakhmanov facetiously called this “Database Credentials for Everyone.” While the files cryptographically protect the passwords, the researcher was able to find code that converts the password to plaintext. The result: anyone who can log in to a box locally or through the Remote Desktop Protocol can gain the credentials for the SolarWindsOrionDatabaseUser.
The third vulnerability, tracked as CVE-2021-25276, resides in the Serv-U FTP for Windows. The program stores details for each account in a separate file. Those files can be created by any authenticated Windows user. Rakhmanov wrote: “Specifically, anyone who can log in locally or via Remote Desktop can just drop a file that defines a new user, and the Serv-U FTP will automatically pick it up. Next, since we can create any Serv-U FTP user, it makes sense to define an admin account by setting a simple field in the file and then set the home directory to the root of C:\ drive. Now we can log in via FTP and read or replace any file on the C:\ since the FTP server runs as LocalSystem.”