Severity Rating: High
Systems Affected
SolrWindsOrion Platform versions 2019.4 HF 5 and 2020.2 with no hotfix or
with 2020.2 HF 1, including:
Application Centric Monitor (ACM)
Database Performance Analyzer Integration Module (DPAIM)
Enterprise Operations Console (EOC)
High Availability (HA)
IP Address Manager (IPAM)
Log Analyzer (LA)
Network Automation Manager (NAM)
Network Configuration Manager (NCM)
Network Operations Manager (NOM)
Network Performance Monitor (NPM)
NetFlow Traffic Analyzer (NTA)
Server & Application Monitor (SAM)
Server Configuration Monitor (SCM)
Storage Resource Monitor (SCM)
User Device Tracker (UDT)
Virtualization Manager (VMAN)
VoIP & Network Quality Manager (VNQM)
Web Performance Monitor (WPM)
Overview
A highly sophisticated supply chain attack has been reported on the
SolarWinds' Orion IT monitoring and management software, resulted in
backdoor remote code execution and may further lead to lateral movement and
data theft.
Description
SolarWinds Orion Platform software builds have been reported to be part of
a sophisticated manual supply chain attack.
In this sophisticated supply chain attack, adversaries compromised updates
to the SolarWinds' Orion IT monitoring and management software,
specifically a component called 'SolarWinds.Orion.Core.BusinessLayer.dll'
in versions 2019.4 HF 5 through 2020.2.1. The digitally signed updates were
posted on the SolarWinds' website from March to May 2020. This backdoor can
communicate to third party servers using HTTP and is able to execute
commands to transfer and execute files, profile the system, reboot the
machine, and disable system services.
Note: It is reported that exploitation of this vulnerability is in the
wild.
Solution
Users with Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 need to
upgrade to Orion Platform version 2020.2.1 HF 1.
Users with Orion Platform v2019.4 HF 5 need to update to Orion Platform
version 2019.4 HF 6.
https://customerportal.solarwinds.com/ (login required)
Recommendations
Organisations are strongly advised to take additional measure like:
changing passwords of all accounts accessible to Orion servers
analysing all configuration for network devices managed by the Orion
platform for alteration.
Organisations should consider the impacts and applicability of these steps
on their specific network operations prior to implementing these
mitigations.
Vendor Information
References
SolarWinds
t/core-secure-configuration.htm
US CERT
on-solarwinds-software
FireEye
ages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- -fireeye-red-team-tools.html
Microsoft
p-based-kerberoasting-with-azure-atp/ba-p/462448
on-state-cyber-attacks/
About Cert Advisory
We have created this blog to provide latest security advisory from the india cert for the security vulnerability, threats, attacks and patching required to mitigate any kind of cyber attacks.