Researchers at security firm Trustwave on Wednesday disclosed two critical vulnerabilities in the same software that suspected Russian spies have exploited to infiltrate multiple U.S. government agencies.
One of the bugs could offer an attacker a similar level of control over the software made by federal contractor SolarWinds that the alleged Russians enjoyed, the researchers said.
SolarWinds has issued fixes for the vulnerabilities and urged customers to apply them. There is no evidence that malicious hackers have exploited any of the bugs.
The analysis of SolarWinds’ Orion software platform — which is used by numerous Fortune 500 firms — illustrates the greater scrutiny the firm is under since disclosing the supply-chain hack. But it also shows the security benefits of having more outside researchers sift through Orion’s code.
“As people were patching against the implant backdoor [used in the espionage campaign], this would provide the ability to get back into those systems, even though the backdoor had been removed,” Trustwave’s Karl Sigler said of one of the vulnerabilities, which could allow an attacker to remotely execute code and steal data. (Exploiting the bug generally requires targeted computer systems to be exposed to the internet, unlike the vulnerability exploited in the espionage.)
Trustwave also found a third vulnerability, unrelated to Orion, in software running on SolarWinds servers that could allow an attacker to replace server files. SolarWinds also issued a patch for that bug.
Sigler, a researcher at Trustwave’s SpiderLabs security division, said his firm plans to release proof-of-concept exploit code for the vulnerabilities on Feb. 9. The goal is to spur people to apply the SolarWinds software patches before malicious hackers use their own exploits.
Demands for change
The Trustwave research is a reminder of why the alleged Russian hackers tampered with Orion in the first place — because of the far-reaching access the network monitoring software offers to other systems. The attackers, after all, pushed malicious code to some 18,000 SolarWinds customers but only exploited that access to spy on a much smaller number of organizations, according to investigators.
The vulnerability that Sigler described is in how the Orion platform handles software made by Microsoft that allows applications to communicate. It could allow an attacker who breaches Orion to move on to other sensitive computers with which the software interacts.
The second bug that Trustwave found in Orion could allow an attacker with access to a targeted computer to take over the Orion database or add administrative privileges inside Orion products.
SolarWinds came under criticism for its security practices prior to the breach. A company server was accessible with a “solarwinds123” password, one security researcher told Reuters. One former SolarWinds cybersecurity adviser, Ian Thornton-Trump, told Bloomberg News that he left the firm after his warnings to bolster security were ignored.
But SolarWinds says it is committed to improving its security, and has been working with others firms and with U.S. government agencies to do so. The Texas-based firm has hired Christopher Krebs, a former senior Department of Homeland Security official, and ex-Facebook chief Alex Stamos to help respond to the hack.
“We have always been committed to working with our customers and other organizations to identify and remediate any vulnerabilities across our product portfolio in a responsible way,” a SolarWinds spokesperson said in response to the Trustwave report.
Trustwave’s Sigler said the string of supply-chain compromises will put pressure on software providers to show customers they are investing in security.
“I think we’re going to see a lot more demands from the consumer side to make sure that these vendors that they’re trusting so much can actually be worth that trust,” Sigler said.
The Trustwave research comes on the heels of a Reuters report that suspected Chinese hackers used a different vulnerability in SolarWinds software to breach the U.S. Department of Agriculture.
CyberScoop could not confirm the identity of the hackers.
A SolarWinds spokesperson said the attackers in that breach added malicious software known as Supernova to the Orion software “on a customer’s network.”
The spokesperson did not specify the customer, but a person familiar with the matters said it is the USDA. A spokesperson for the agency did not respond to multiple requests for comment.