Following last year's SolarWinds hack (opens in new tab), a security researcher from Trustwave's SpiderLabs (opens in new tab) decided to take a further look into the company's software to see if he could find any additional vulnerabilities.
In a new blog post (opens in new tab), security research manager at Trustwave Martin Rakhmanov has revealed that he found three severe bugs in two products from SolarWinds. Thankfully none of these vulnerabilities were exploited during the recent SolarWinds attacks or in any attacks in the wild but one of the three newly discovered bugs could be exploited to achieve remote code execution (opens in new tab) with high privileges.
Rakhmanov began his investigation by taking a look into other SolarWinds products based on its Orion (opens in new tab) framework. He installed the company's User Device Tracker software and was prompted to set up Microsoft Message Queue (MSMQ) which has been around for more than two decades and is no longer installed by default on modern Windows systems. After looking at the huge list of private queues, Rakhmanov found that these queues are unauthenticated which means that unauthenticated users can send messages to them over TCP port 1801.
- We've put together a list of the best endpoint protection (opens in new tab) software
- Keep your devices virus free with the best malware removal (opens in new tab) software
- Also check out our roundup of the best ransomware protection (opens in new tab)
From here, he checked how well SolarWinds secures credentials for its backend database. It was then that Rakhmanov discovered that he could decrypt passwords (opens in new tab) stored in the company's database using readily available software. Using these passwords, someone can steal information or even add a new admin-level user inside SolarWinds Orion products.
Serv-U FTP vulnerability
To finish off his investigation, Rakhmanov looked at another SolarWinds product called Serv-U FTP for Windows to discover that software stores accounts on disk in separate files.
As directory access control (opens in new tab) lists in the software allow complete compromise by any authenticated Windows user, anyone can log in locally or via remote desktop (opens in new tab) and drop a file that defines a new users and Ser-U FTP will automatically pick it up. Since new users can be created this way, these accounts can be upgraded to admin status to allow anyone to log in via FTP and read or replace any file on a system's C drive since the FTP server runs as LocalSystem.
Trustwave responsibly reported all of these bugs to SolarWinds and the company then released patches in a timely manner which are available via direct download here (opens in new tab) and in a post (opens in new tab) on its site.
However, as some users have not yet patched their systems, SpiderLabs will be waiting until later to publish its proof of concept (PoC) code for these bugs.
- We've also highlighted the best antivirus (opens in new tab)