SolarWinds, the previously little-known company whose network-monitoring tool Orion was a primary vector for one of the most serious breaches in US history, has pushed out fixes for three severe vulnerabilities.
Martin Rakhmanov, a researcher with Trustwave SpiderLabs, said in a blog post on Wednesday that he began analyzing SolarWinds products shortly after FireEye and Microsoft reported that hackers had taken control of SolarWinds’ software development system and used it to distribute backdoored updates to Orion customers. It didn’t take long for him to find three vulnerabilities, two in Orion and a third in a product known as the Serv-U FTP for Windows. There’s no evidence any of the vulnerabilities have been exploited in the wild.
The most serious flaw allows unprivileged users to remotely execute code that takes complete control of the underlying operating system. Tracked as CVE-2021-25274 the vulnerability stems from Orion’s use of the Microsoft Message Queue, a tool that has existed for more than 20 years but is no longer installed by default on Windows machines.
Hard to miss
As Rakhmanov poked through the Windows Computer Management console, he quickly seized on the following security permissions for one of the dozens of private queues it enabled:
“It’s pretty hard to miss that warning shield showing that the queue, like all the queues, is unauthenticated,” the researcher wrote. “In short, unauthenticated users can send messages to such queues over TCP port 1801. My interest was piqued, and I jumped in to look at the code that handles incoming messages. Unfortunately, it turned out to be an unsafe deserialization victim.”
Trustwave SpiderLabs described the flaw this way in a separate advisory:
SolarWinds Collector Service uses MSMQ (Microsoft Message Queue) and it doesn’t set permissions on its private queues. As a result, remote unauthenticated clients can send messages that the Collector Service will process. Additionally, upon processing of such messages, the service deserializes them in insecure manner allowing remote arbitrary code execution as LocalSystem.
Database Credentials for Everyone
The second Orion vulnerability, tracked as CVE-2021-25275, is the result of Orion storing database credentials in an insecure manner. Specifically, Orion keeps the credentials in a file that’s readable by unprivileged users. Rakhmanov facetiously called this “Database Credentials for Everyone.”
While the files cryptographically protect the passwords, the researcher was able to find code that converts the password to plaintext. The result: anyone who can log in to a box locally or through the Remote Desktop Protocol can gain the credentials for the SolarWindsOrionDatabaseUser.
“The next step is to connect to the Microsoft SQL Server using the recovered account, and at this point, we have complete control over the SOLARWINDS_ORION database,” Rakhmanov wrote. “From here, one can steal information or add a new admin-level user to be used inside SolarWinds Orion products.”
Create your own admin account
The third vulnerability, tracked as CVE-2021-25276, resides in the Serv-U FTP for Windows. The program stores details for each account in a separate file. Those files can be created by any authenticated Windows user.
Specifically, anyone who can log in locally or via Remote Desktop can just drop a file that defines a new user, and the Serv-U FTP will automatically pick it up. Next, since we can create any Serv-U FTP user, it makes sense to define an admin account by setting a simple field in the file and then set the home directory to the root of C: drive. Now we can log in via FTP and read or replace any file on the C: since the FTP server runs as LocalSystem.
Fixes for Orion and Serv-U FTP are available here and here. People who rely on either of these products should install patches as soon as possible.