The recent SolarWinds supply chain attack was one of the most notable breaches of the last year.
The full extent of the attack is still unknown however what is clear is that it demonstrated a remarkable level of planning and sophistication, with the adversaries orchestrating a subtle campaign that took months of planning and careful lateral movement.
At the heart of the attack was the SolarWinds Orion product, which the attackers managed to access and turn into a Trojanised weapon against SolarWinds’ customer base. This inspired us to investigate other products based on the Orion framework – and we soon discovered three severe vulnerabilities impacting multiple SolarWinds products. These issues could be exploited in a serious attack, granting an attacker full remote code execution, access to credentials for recovery, and the ability to read, write to or delete any file on the system.
As these issues have been officially disclosed to SolarWinds and patches have been issued, we’ll explore how these flaws could have been exploited by attackers, and how to reduce the risk posed by similar unknown vulnerabilities.
Exploiting MSMQ during installation
The first bug we encountered was apparent before we even finished installing the software. As part of the installation process, we were asked to setup Microsoft Message Queue (MSMQ), a piece of software that has been around for more than two decades. Once it was installed, we opened it up in the Computer Management console to see what was going on under the hood. We immediately noticed that the message queues were unauthenticated, which means that any user could use it to send messages over TCP port 1801 without authentication. The code used to handle the message turned out to be an unsafe serialisation victim.
Combining these two issues means an unprivileged user could use the system to remotely execute code. Worse, the message processing code runs as a Windows service using a LocalSystem account, it grants full control of the underlying system.
It should be noted that a patch is now available for the issue, adding a digital signature validation step for incoming messages. However, the MSMQ itself is still unauthenticated and allows any unauthorised user to send messages.
An easy path to database credentials
With the software installed, our next step was to check out how well it secured the credentials for the backend database. This is hugely important as many breaches occur due to data being accidently left accessible in a poorly configured database.
Exploring the files installed with the software, we soon found one that contained the credentials for the SolarWinds backend database, with access permissions granted to all locally authenticated users.
The credentials were encrypted, but the use of a decryption tool awarded us with the cleartext password for an account named SolarWindsOrionDatabaseUser. From here it would have been possible to connect to the Microsoft SQL Server and essentially gain complete control over the SOLARWINDS_ORION database, making it possible to steal information or create new admin users for SolarWinds Orion products. This bug would have allowed a threat actor to conduct widespread data theft or begin compromising other Orion customers.
Creating an admin user
Our final discovery was found in another SolarWinds product named Serv-U FTP for Windows. We found that accounts are stored on disk in separate files and can be easily compromised by directory access control lists. Either logging in locally or remotely, it is as simple as dropping in a file that defines a new user.
Serv-U FTP will automatically pick up any user present in the folder – including one defined as having admin rights. Now the account can be used to login via FTP, and because it runs as LocalSystem, it is possible to begin reading or replacing any file on C:/.
Reducing risk exposure to software flaws
All three of these vulnerabilities could have been exploited to carry out serious cyber-attacks, including remotely executing code, stealing credentials, and writing or deleting any file on the system. The takeaway here is that any piece of software is very likely to contain as-yet undiscovered vulnerabilities and bugs, so organisations should never assume their applications are fully secure. It is imperative to have strategies in place to close gaps as soon as possible, as well as mitigating the risk of unknown vulnerabilities. The creation of a robust SDLC (Secure Development Lifecycle) process is imperative.
In this case, it was fortunate that we were able to discover and securely disclose the issues to SolarWinds before they were found and exploited by an attacker in the wild. SolarWinds should also be commended for its work in the disclosure process and its swift work getting patches out for all three flaws. Organisations should ensure they apply these patches as soon as possible to prevent them being used in an attack.
Having a solid patching strategy in place will greatly mitigate the risk posed by newly discovered vulnerabilities like these. Enterprises should be following a regular cadence for applying patches and updates as they are made available, as well as being able to prioritise high risk vulnerabilities that could be exploited to facilitate a serious breach.
Ensuring that other good security hygiene practices such as strong password management and least privilege policies will also help to reduce the impact of undiscovered vulnerabilities if threat actors discover them before security analysts do. Finally, organisations should also ensure they have the ability to detect suspicious activity that could indicate a vulnerability is being exploited to achieve malicious activity such as escalating privileges or lateral movement.
About the Author
Ed Williams is EMEA Director of SpiderLabs at Trustwave. Trustwave is a leading cybersecurity and managed security services provider focused on threat detection and response. Offering a comprehensive portfolio of managed security services, consulting and professional services, and data protection technology, Trustwave helps businesses embrace digital transformation securely.
Featured image: ©AnnaStills
