Trio of new SolarWinds vulnerabilities gives RCE.
"Since we can create any Serv-U FTP user, it makes sense to define an admin account..."
Three new SolarWinds vulnerabilities give an attacker "full remote code execution, access to credentials for recovery, and the ability to read, write to or delete any file on the system" according to fresh security research from Chicago-based security vendor Trustwave.
The trio of bugs were reported after Texas-based software company SolarWinds fell victim to a supply chain compromise of its Orion product that was then used to hack ~10 federal US agencies and scores of companies globally. The new bugs are unrelated to that incident.
Two of the bugs (allocated CVE-2021-25275 and CVE-2021-25274) are in the SolarWinds Orion Platform and one (allocated CVE-2021-25276) in SolarWinds Serv-U FTP for Windows. With the latter, any local user or one logged in via Remote Desktop can just drop a file that defines a new user, and the Serv-U FTP will automatically pick it up, Spiderlabs' Martin Rakhmanov notes.
"Next, since we can create any Serv-U FTP user, it makes sense to define an admin account by setting a simple field in the file and then set the home directory to the root of C:\ drive. Now we can log in via FTP and read or replace any file on the C:\ since the FTP server runs as LocalSystem."
Spiderlabs says the two Orion bugs can be combined for remote code execution by remote, unprivileged users. It says it has not seen evidence that they were exploited in the wild or used in the recent attacks. Spiderlabs is releasing a POC January 9 so for those affected patching should be done promptly, because attacks will not be far behind.
(The first of the two Orion bugs lets unprivileged users who can log in to the box locally or via RDP run decrypting code and get a cleartext password for the SolarWindsOrionDatabaseUser: "They can then connect to the Microsoft SQL Server [running the product backend database management] using the recovered account, and at this point, we have complete control over the SOLARWINDS_ORION database. From here, one can steal information or add a new admin-level user to be used inside SolarWinds Orion.")
The brace of Orion bugs were disclosed to SolarWinds on December 30, 2020 and patched on January 25. The Serv-U-FTP bug was reported January 4 and a hotfix released January 22.
- Fixes are available in Orion Platform 2020.2.4 and ServU-FTP 15.2.2 Hotfix 1 (Trustwave Advisory TWSL2021-001: TBD).