https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities/ menu Trustwave search Trustwave close error_outline New SolarWinds Vulnerabilities Discovered * Contact * Support * Login Login to your Trustwave Fusion Platform Account Fusion Platform + What is the Trustwave Fusion Platform? + Login to SEG Cloud Portal + Legacy TrustKeeper Login * language English + German (Deutsche) + Japanese (Ri Ben Yu ) * Incident Response Experiencing a security breach? Get access to immediate incident response assistance. 24 Hour Hotlines + Americas +1 (312) 598-1431 + EMEA +44 175 477-2059 + Australia 1800 401 792 + Singapore 800 101 3355 Recommended Actions chevron_left Back Login to your Trustwave Fusion Platform Account Fusion Platform * What is the Trustwave Fusion Platform? * Login to SEG Cloud Portal * Legacy TrustKeeper Login chevron_left Back * DE - German (Deutsche) * JP - Japanese (Ri Ben Yu ) chevron_left Back Experiencing a security breach? Get access to immediate incident response assistance. 24 Hour Hotlines * Americas +1 (312) 598-1431 * EMEA +44 175 477-2059 * Australia 1800 401 792 * Singapore 800 101 3355 Recommended Actions Trustwave * Serviceschevron_right * Capabilitieschevron_right * Resourceschevron_right * Companychevron_right search chevron_left Back Services * Managed Securitychevron_right * Security Testingchevron_right * Technologychevron_right * Consultingchevron_right * Educationchevron_right chevron_left Back Managed Security * Managed Threat Detection & ResponseProactively hunt for, investigate and eradicate cyberthreats, 24x7. * Proactive Threat HuntingIdentify existing attackers in your environment and reduce dwell time * Security Technology ManagementAn arrangement to handle the day-to-day management of your infosec * Security and Compliance BundlesSolution packages to address needs from validation to full network security * Managed Web Application FirewallKeep your mission critical web applications secure with a Managed WAF * Managed Application Control Endpoint allowlisting with real-time threat intelligence and monitoring * Telco SecurityDDOS & broadband protection for APAC businesses and delivered by Singtel Jul 28, 2020 The Forrester Wave(tm): Global Managed Security Services Providers, Q3 2020 Analyst Report chevron_left Back Security Testing * Security Testing Services Comprehensive suite of security testing capabilities managed within a unified portal * Trustwave SpiderLabsAn elite group of researchers, penetration testers and incident responders May 20, 2020 Once and Future Threats: What Security Testing Is and Will Be Ebook chevron_left Back Technology * DbProtect Scalable enterprise platform to monitor & protect databases and big data stores * AppDetectivePRO Database and big data scanner to find weaknesses that could lead to compromise * Secure Email Gateway Full protection against email threats and sensitive data from exiting * Secure Web Gateway Flexible solution to guard in real time against internet-borne threats * Intrusion Detection & Prevention A high-speed solution that monitors your network & helps fortify the perimeter * Next Generation Firewall Comprehensive network security with a low total cost of ownership * Technology Partners Key Partners who augment the broad portfolio of security services * Technology & Implementation Experts help determine the right assortment of technologies for your business Aug 05, 2019 The Underground Economy Ebook chevron_left Back Consulting * Digital Forensics & IR Service that provides breach training and immediate response to incidents * Threat Detection & Response Consulting Advisory, transformation, and operations enablement consulting services * Data Protection Complete lifecycle management services for database security * Cybersecurity & Risk Advisors determine your security gaps and risk appetite to make better decisions * Trustwave SpiderLabs An elite group of researchers, penetration testers and incident responders * Security Colony Big or small - your problem has been faced before. Like a CISO in your pocket * Technology & Implementation Experts help determine the right assortment of technologies for your business Nov 07, 2019 Cyber Resiliency in the Multi-Cloud Era Ebook chevron_left Back Education * Executive Training Programs Programs and services to help senior leaders make risk-based security decisions * Cybersecurity Awareness Training Industry-leading course content for general employees and developers * Tactical Training Programs Instruction for building attack defense and response that excels in the real world Oct 30, 2017 The Complete Guide to Building a Security Culture Ebook Oct 07, 2015 9 Ways to Create a Security Awareness Program People Won't Hate Tips & Tricks chevron_left Back Capabilites * By Topicchevron_right * By Industrychevron_right * By Mandatechevron_right chevron_left Back By Topic * Securing DataProtect data. Secure databases. Sustain compliance. * COVID-19 PandemicSecurity resources, recommendations and strategies that offer you help and guidance * Rapidly Secure New EnvironmentsSecure new environments in rapid response situations * Detecting & Responding to Threats Monitor, proactively hunt for, investigate and remediate cyberthreats, 24x7 * Securing Email & Web Gateways Protect against threats that strike when users encounter malicious content * Securing the Cloud Safely navigate to and stay protected in the cloud * Scanning & Testing Get insights on your risk exposure * Securing the IoT LandscapeTest, monitor and secure everyday objects connected to your company's network Apr 08, 2020 Gartner Report: Ask These Critical Questions and Consider These Risks When Selecting an MDR Provider Analyst Report chevron_left Back By Industry * Education Enterprise-grade security designed to fill gaps in K-12 & higher ed * Financial Sector Tech and services for protecting the world's most asset-heavy sector * Government Services to help federal, state & local overcome resource shortages * Health Care Solutions for health care to protect infrastructure and ensure compliance * Hotels Solutions & service packages for the customer-facing lodging industry * Legal A solution set designed for a client-driven industry & hot target * Payment Services Digital protection across an evolving, complex & heavily targeted space * Restaurants Order up data protection through managed security bundles * Retail Convenient packages to prevent, detect & respond, and address PCI chevron_left Back By Mandate * CMMC U.S. DoD standard for contractors to certify cybersecurity as assessed by 3rd parties to win contract awards * Data Privacy Data protection and breach notification laws have become universal * FISMA Federal agencies must get up to speed on securing IT systems * GDPR Flagship law out of the EU is a wake-up call to businesses everywhere * GLBA Federal law forces financial firms to act on information security * HIPAA Regulations to protect patient data & prevent health care threats * ISO Satisfy the 27000 series of standards & keep data assets protected * POPI South Africa's new regulation addresses personal data processing * PCI The most prescriptive security standard requires constant vigilance * SOX Publicly traded firms must show accountability, including around security chevron_left Back Resources * Blogs & Stories * Resource Library * Security Resources * Events & Live Webinars chevron_left Back Blogs & Stories * Trustwave Blog A collection of tips and perspective on security hot topics that matter to you * SpiderLabs Blog Researchers & ethical hackers deliver malware analysis and vulnerability insight * Trustwave Stories A set of stories about how Trustwave is changing the way you do security Feb 03, 2021 Full System Control with New SolarWinds Orion-based and Serv-U FTP Vulnerabilities SpiderLabs Blog Jan 28, 2021 Data Privacy Day: Best Practices Organizations Should Know Events chevron_left Back Resource Library * Documents White papers, e-books, infographics and other practical resources. * Webinars Webinar replays around the hottest cybersecurity topics today * Videos A library of informative and engaging videos on various security subjects * Case Studies Stories of our customers' infosec challenges and how they overcame them * Infographics Illustrative storytelling helping you more easily digest security trends and topics * Global Security Reports The industry's most comprehensive account of cyberthreat and attack data * Analyst Reports As a market leader, experts regularly assess our services and technologies Feb 03, 2021 New Vulnerabilities Discovered in SolarWinds Products by Trustwave SpiderLabs FAQ chevron_left Back Security Resources * Security Advisories An archive of vulnerability discoveries and details from Trustwave SpiderLabs * Software Updates The latest updates to our products and services all in one place * Security Statistics The ultimate list of security facts and figures based on breach investigations * Special Offers Trial software, subscriptions and tools to make smart security investments Apr 09, 2020 AppDetectivePRO Trial Limited-Time Full License Special Offer chevron_left Back Events & Live Webinars * Upcoming Webinars Join the conversation by participating in live informative security webinars * Upcoming Events Where in the world is Trustwave? Extensive list of upcoming events * Webinar Replays Webinar replays around the hottest cybersecurity topics today When: Feb 26, 2021 Enhancing your cyber resilience through attack simulation exercises Upcoming Webinar When: Feb 11, 2021 From NIST 800-171 to CMMC: The Roadmap to Ensuring DoD Contract Wins Upcoming Webinar chevron_left Back Company * About Trustwave * Careers * Partners * Newsroom * Contact chevron_left Back About Trustwave * Our Story Our focus is on threat detection and response. This is our story * Our History Explore the major milestones of Trustwave and see how the company has evolved * Trustwave Fusion Platform Cloud-native platform that gives enterprises unprecedented visibility and control over their security resources * SpiderLabs Fusion Center The epicenter - a cybersecurity command center in the heart of Chicago * Security Operations Centers Distributed worldwide nodes defend our customers from the latest advanced threats * SpiderLabs An elite security team of more than 250 researchers, ethical hackers and incident responders * Leadership Experienced and impassioned experts make up our executive team * Accolades Trustwave is honored to be recognized for some of the industry's biggest awards Celebrating 25 Years Part of the Singtel group of companies Singtel Logo Optus Logo chevron_left Back Careers * All Opportunities Trustwave is ready to challenge and inspire you * Career Paths Find your path. Or carve your own * Around the Globe We're looking for extraordinary people to join us * Why Trustwave? We think you'll love working at Trustwave. This is why chevron_left Back Partners * PartnerOne Program Join forces with Trustwave to protect against the most advance cybersecurity threats * Technology Partners Key partners who augment our broad portfolio of security services Trustwave PartnerOne Our program helps partners enhance their go-to-market strategies, drive sales and build their brands. We provide a comprehensive suite of integrated and customizable digital marketing campaigns, sales enablement, and support and training courses. Partner Login Register Now chevron_left Back Newsroom * News Releases Written newsworthy announcements from our communications team * Media Coverage News and activity around the world focusing and highlighting Trustwave * Blogs Security advice, research and more - all meant to help you do your job better Jan 28, 2021 Trustwave Launches New Referral Partner Program News Release Dec 03, 2020 Cyber security, outsourcing and transactional support News Release chevron_left Back Contact * Global Contact Have a question? Let's get in touch. * Global Locations A directory of our global offices and contact information * Support Support for Trustwave services and solutions Experiencing a Security Breach? Access to immediate incident response assistance. 24 Hour Hotline: +1 (866) 659-9097 Option 5 International: +1 (312) 873-7500 Option 4 Recommended Actions General To speak to a Trustwave representative. +1 (312) 873-7500 Monday - Friday 8:00 AM - 6:00 PM CT (UTC -6) Sales Contact a Trustwave solution specialist. +1 (888) 878-7817 Monday - Friday 8:00 AM - 6:00 PM CT (UTC -6) Loading... Blogs & Stories SpiderLabs Blog Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research. Full System Control with New SolarWinds Orion-based and Serv-U FTP Vulnerabilities access_timeFebruary 03, 2021 person_outlineMartin Rakhmanov share * Twitter * LinkedIn * Facebook * email In this blog, I will be discussing three new security issues that I recently found in several SolarWinds products. All three are severe bugs with the most critical one allowing remote code execution with high privileges. To the best of Trustwave's knowledge, none of the vulnerabilities were exploited during the recent SolarWinds attacks or in any "in the wild" attacks. However, given the criticality of these issues, we recommend that affected users patch as soon as possible. We have purposely left out specific Proof of Concept (PoC) code in this post in order to give SolarWinds users a longer margin to patch but we will post an update to this blog that includes the PoC code on Feb. 9. --------------------------------------------------------------------- [solarwinds] Fact Sheet New Vulnerabilities Discovered in SolarWinds Products by Trustwave SpiderLabs Download our fact sheet on the SolarWinds vulnerabilities that Trustwave SpiderLabs has discovered. All three vulnerabilities are severe with the most critical one allowing remote code execution with high privileges. Download Now --------------------------------------------------------------------- SolarWinds Orion Platform Vulnerability (CVE-2021-25274): Messages Queued, Processed, Deserialized and Exploited In light of the recent SolarWinds supply chain attack, I decided to take a quick look at SolarWinds products based on the Orion framework. SolarWinds offers trial versions for download. I picked User Device Tracker and installed it on a vanilla Windows Server 2019 virtual machine. As a part of the installation, there is a setup of Microsoft Message Queue (MSMQ), which has been around for more than two decades. This immediately grabbed my attention since, by default, this technology is not installed on modern Windows systems. Next, the installer suggested installing Microsoft SQL Server Express for the product backend database management, but I could have opted to use an existing Microsoft SQL Server instance too. After a few more steps - voila - we have the product up and running. Since MSMQ was installed, the first thing I tried was to open the Computer Management console to see what's going on under the Message Queuing, as you can see in Figure 1. Image001Figure 1: SolarWinds Orion Collector uses MSMQ heavily. As you can see, there is a huge list of private queues, and literally, every one of them has a specific problem. See if you can pinpoint it in Figure 2 below. Image002Figure 2: Security is not configured on the queues. It's pretty hard to miss that warning shield showing that the queue, like all the queues, is unauthenticated. In short, unauthenticated users can send messages to such queues over TCP port 1801. My interest was piqued, and I jumped in to look at the code that handles incoming messages. Unfortunately, it turned out to be an unsafe deserialization victim. A simple Proof of Concept (PoC) (which again, we will release on Feb. 9) allows remote code execution by remote, unprivileged users through combining those two issues. Given that the message processing code runs as a Windows service configured to use LocalSystem account, we have complete control of the underlying operating system. After the patch is applied, there is a digital signature validation step performed on arrived messages so that messages having no signature or not signed with a per-installation certificate are not further processed. On the other hand, the MSMQ is still unauthenticated and allows anyone to send messages to it. SolarWinds Orion Platform Vulnerability (CVE-2021-25275): Database Credentials for Everyone My next step in research was to check how well SolarWinds secured the credentials for the backend database since database security is a research area we care about very much. After simple grep across the files installed by the product, one file was found (well, actually two, but more on that later), as shown in Figure 3. Image003Figure 3: Configuration file with Orion backend database credentials. Permissions are generously granted to all locally authenticated users, as shown in Figure 4. Image004Figure 4: Authenticated users can read the file content. Inside this file, we find credentials for the SolarWinds backend database called SOLARWINDS_ORION: Image005Figure 5: Inside the configuration file are database credentials for the Orion backend database. I spent some time finding code that decrypts the password but essentially, it's a one-liner. In the end, unprivileged users who can log in to the box locally or via RDP will be able to run decrypting code and get a cleartext password for the SolarWindsOrionDatabaseUser. We are withholding all Proof of Concept (PoC) code for these vulnerabilities to give users a little more time to patch, but you'll be able to test this out for yourselves next week on Feb. 9. The next step is to connect to the Microsoft SQL Server using the recovered account, and at this point, we have complete control over the SOLARWINDS_ORION database. From here, one can steal information or add a new admin-level user to be used inside SolarWinds Orion products. Image006Figure 6: After using a small decryption utility, we can connect to the database. As mentioned earlier, I performed my tests on the trial version and when verifying the patch noticed that while it secures the SWNetPerfMon.DB file it does not secure the SWNetPerfMon.DB.Eval found in the trial. This concludes the section about configuration file insecure storage. On to the next finding! SolarWinds Serv-U FTP Vulnerability (CVE-2021-25276) - FTP Server: Let Me Add an Admin User for Myself Finally, I took a quick look at another SolarWinds product called Serv-U FTP for Windows. It turns out that the accounts are stored on disk in separate files. Directory access control lists allow complete compromise by any authenticated Windows user. Specifically, anyone who can log in locally or via Remote Desktop can just drop a file that defines a new user, and the Serv-U FTP will automatically pick it up. Next, since we can create any Serv-U FTP user, it makes sense to define an admin account by setting a simple field in the file and then set the home directory to the root of C:\ drive. Now we can log in via FTP and read or replace any file on the C:\ since the FTP server runs as LocalSystem. Image007Figure 7: Authenticated users can write to the configuration directory. Summary In this post, we discussed two findings in SolarWinds Orion User Device Tracker and one in SolarWinds Serv-U FTP. These issues could allow an attacker full remote code execution, access to credentials for recovery, and the ability to read, write to or delete any file on the system. Trustwave reported all three findings to SolarWinds, and patches were released in a very timely manner. We want to thank SolarWinds for their partnership during the disclosure process. We recommend that administrators upgrade as soon as possible. We will also be releasing an update to this blog post with Proof of Concept (PoC) code next week on Feb. 9, to give users some additional time to patch. Having direct PoC code helps information security professionals better understand these issues as well as develop protections to prevent exploitation. Disclosure Timeline 12/30/2020 - Orion vulnerabilities disclosed to vendor 01/04/2021 - Confirmation of Orion CVEs 01/04/2021 - ServU-FTP vulnerabilities disclosed to vendor 01/05/2021 - Confirmation of ServU-FTP CVE 01/22/2021 - Serv-U-FTP hotfix released 01/25/2021 - Orion patches released 02/03/2021 - Advisory published 02/09/2021 - Proof of Concept code released References * Fixes are available in the following versions of SolarWinds products: + Orion Platform 2020.2.4 + ServU-FTP 15.2.2 Hotfix 1 (direct download .zip patch) * Trustwave SpiderLabs Advisory TWSL2021-001: Multiple Vulnerabilities in SolarWinds Orion * Trustwave SpiderLabs Advisory TWSL2021-002: Vulnerability in SolarWinds Serv-U FTP Server Trustwave Protections Trustwave vulnerability scanning products can detect these vulnerabilities and Trustwave IDS/IPS products include signatures that can detect network exploitation of CVE-2021-25274. --------------------------------------------------------------------- [solarwinds] Upcoming Webinar Overview of New SolarWinds Vulnerabilities Discovered by Trustwave SpiderLabs More questions? Join us on Tuesday, February 9, 2021 from 9:00 a.m. - 10:00 a.m. CST Register Now Recent SpiderLabs Blog Posts Feb 03, 2021 Full System Control with New SolarWinds Orion-based and Serv-U FTP Vulnerabilities SpiderLabs Blog Jan 12, 2021 Patch Tuesday, January 2021 SpiderLabs Blog Jan 11, 2021 Microsoft Teams and Skype Logging Privacy Issue SpiderLabs Blog Trustwave * LinkedIn * Twitter * Facebook * YouTube Services * Managed Security * Security Testing * Technology * Consulting * Education Capabilities * By Topic * By Industry * By Mandate Resources * Blogs & Stories * Resource Library * Security Resources * Events & Webinars Company * About Trustwave * Careers * Newsroom * Contact * Support Stay Informed Sign up to receive the latest security news and trends from Trustwave. [ ] Subscribe No spam, unsubscribe at any time. * Legal * Terms of Use * Privacy Policy [English ] Copyright (c) Trustwave Holdings, Inc. All rights reserved. Loading Help Us Stop the Robot Uprising This is a bot-free zone. Please check the box to let us know you're human. Thank You Download Now --------------------------------------------------------------------- Read complimentary reports and insightful stories in the Trustwave Resource Center Thank You One of our sales specialists will be in touch shortly. --------------------------------------------------------------------- Read complimentary reports and insightful stories in the Trustwave Resource Center