Take Action Now
Disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network.
Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that advanced persistence mechanisms or APTs have been deployed.
Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised.
A known nation-state attack is imminent with federal agencies being ordered to turn-off SolarWinds products. This emergency directive, from cyber.dhs.gov, discloses that disconnecting affected devices is the only known mitigation measure currently available.
Everyone’s Risk Exposure
Even if you are not a direct SolarWinds product user immediate mitigation of vulnerability exposure is still necessary. One of the first reported compromises was the US Security firm, FireEye. It was breached due to a vulnerability in SolarWinds, and a large number of their tools and exploits were stolen by nation-state threat actors.
To block these weaponized vulnerabilities FireEye released a list of CVEs highly targeted by the pen testing tools that were stolen (see the full listing at the end of this post). In order to educate and provide proactive steps, this information needs to be addressed across all organizations. Mitigate these published risks as they are quickly becoming part of the arsenal of malicious tactics security analysts are seeing in the wild.
For small to mid-size businesses the SaaS business solution Zoho was a key target of these exploits. The vulnerable component is one used to manage remote desktops and often used by Managed Service Providers. (TECH LOCK does not use this technology in our service offering.) To understand this vulnerability implication a security researcher from Microsoft, used the Shodan search engine to find 2,300 publicly accessible instances. Obviously, these systems should all be behind a firewall, but it shows the ease in which one point of access, through to the managed service provider, could then open doors to all of their customers. Very much the same tactic that is at play with the SolarWinds compromise.
There are advanced security measures to take within an organization in the next few days to weeks. Review their attack surface risk, forensic investigation and hunt for indicators of compromise, and systemic rebuild of hosts with the strengthening of account passwords and encryption algorithms. If you need assistance, please reach out to firstname.lastname@example.org, we can help provide an end-to-end security solution where we take on the security burden of keeping pace with the continual changes in the threat landscape. Feel free to ask for a demo of our TECH LOCK Secure portal, keeping you up to date and informed about the security of your business.
Critical CVEs to Review and Patch
Listed below are the CVEs that should be considered a critical priority for getting patched, in addition to reviewing the FireEye GitHub of countermeasures.
CVE-2019-11510 – A critical arbitrary file disclosure vulnerability involving the Pulse Connect Secure VPN. Common Vulnerability Scoring System (CVSS) score of 10.
CVE-2020-1472 – The “Netlogon Elevation of Privilege Vulnerability,” a critical elevation of privilege vulnerability, received CVSS score of 10.
CVE-2018-13379 – Improper limitation of a pathname to a restricted directory in Fortinet SSL VPN, 9.8 CVSS score.
CVE-2018-15961 – The unrestricted file upload vulnerability affects Adobe ColdFusion. Successful exploitation could lead to arbitrary code execution with CVSS score of 9.8.
CVE-2019-0604 – A critical remote code execution vulnerability in Microsoft SharePoint that received a 9.8 CVSS score.
CVE-2019-0708 – The critical remote code execution vulnerability in remote desktop services, 9.8 CVSS score.
CVE-2019-11580 – The Atlassian crowd remote code execution vulnerability rated a 9.8 CVSS score.
CVE-2019-19781 – A remote code execution issue discovered in Citrix Application Delivery Controller (ADC) allows for directory traversal. 9.8 CVSS rating.
CVE-2020-10189 – Allows for remote code execution in Zoho ManageEngine Desktop Central and rated a CVSS score of 9.8.
CVE-2014-1812 – A local escalation of privilege vulnerability in Windows. It scored a 9.0 CVSS score.
CVE-2019-3398 – The confluence authenticated remote code execution vulnerability received a CVSS score of 8.8.
CVE-2020-0688 – A remote command execution vulnerability in Microsoft Exchange. It received a CVSS score of 8.8.
CVE-2016-0167 – The local privilege escalation vulnerability affects older versions of Microsoft Windows and received a CVSS score of 7.8.
CVE-2017-11774 – A remote code execution vulnerability in Microsoft Outlook, otherwise known as the “Microsoft Outlook Security Feature Bypass Vulnerability.” It scored a 7.8 CVSS rating.
CVE-2018-8581 – The elevation of privilege vulnerability in Microsoft Exchange received a CVSS score of 7.4.
CVE-2019-8394 – Allows remote attackers to upload arbitrary files to ZoHo ManageEngine ServiceDesk Plus via login page customization. It received a CVSS score of 6.5.