SolarWinds Patches Vulnerabilities That Could Allow Full System Control

An anonymous reader quotes a report from Ars Technica: SolarWinds, the previously little-known company whose network-monitoring tool Orion was a primary vector for one of the most serious breaches in US history, has pushed out fixes for three severe vulnerabilities. Martin Rakhmanov, a researcher with Trustwave SpiderLabs, said in a blog post on Wednesday that he began analyzing SolarWinds products shortly after FireEye and Microsoft reported that hackers had taken control of SolarWinds’ software development system and used it to distribute backdoored updates to Orion customers. It didn’t take long for him to find three vulnerabilities, two in Orion and a third in a product known as the Serv-U FTP for Windows. There’s no evidence any of the vulnerabilities have been exploited in the wild.

The most serious flaw allows unprivileged users to remotely execute code that takes complete control of the underlying operating system. Tracked as CVE-2021-25274 the vulnerability stems from Orion’s use of the Microsoft Message Queue, a tool that has existed for more than 20 years but is no longer installed by default on Windows machines. […] The second Orion vulnerability, tracked as CVE-2021-25275, is the result of Orion storing database credentials in an insecure manner. Specifically, Orion keeps the credentials in a file that’s readable by unprivileged users. Rakhmanov facetiously called this “Database Credentials for Everyone.” While the files cryptographically protect the passwords, the researcher was able to find code that converts the password to plaintext. The result: anyone who can log in to a box locally or through the Remote Desktop Protocol can gain the credentials for the SolarWindsOrionDatabaseUser.

The third vulnerability, tracked as CVE-2021-25276, resides in the Serv-U FTP for Windows. The program stores details for each account in a separate file. Those files can be created by any authenticated Windows user. Rakhmanov wrote: “Specifically, anyone who can log in locally or via Remote Desktop can just drop a file that defines a new user, and the Serv-U FTP will automatically pick it up. Next, since we can create any Serv-U FTP user, it makes sense to define an admin account by setting a simple field in the file and then set the home directory to the root of C:\ drive. Now we can log in via FTP and read or replace any file on the C:\ since the FTP server runs as LocalSystem.”

Fixes for Orion and Serv-U FTP are available here and here.