[HN Gopher] Full System Control with New SolarWinds Orion and Se...
___________________________________________________________________
Full System Control with New SolarWinds Orion and Serv-U FTP
Vulnerabilities
Author : wglb
Score : 43 points
Date : 2021-02-04 16:36 UTC (1 days ago)
(HTM) web link (www.trustwave.com)
(TXT) w3m dump (www.trustwave.com)
| chrisco255 wrote:
| This same FTP server powers Dominion Voting Systems, which
| controls a huge share of the election infrastructure in the U.S.
|
| https://dvsfileshare.dominionvoting.com/Web%20Client/Mobile/...
| blhack wrote:
| Can you elaborate on why you think this is relevant?
| [deleted]
| leesalminen wrote:
| Can you elaborate on why you think this isn't relevant? It
| seems plainly obvious to me how it's relevant.
| thefreeman wrote:
| Does the FTP server print out paper ballots which voters
| then review and manually scan in a machine? If not then
| it's totally irrelevant.
| chrisco255 wrote:
| Dominion works off of dongles and file transfers.
|
| If you're curious about the DVS topology: https://www.sos
| .state.co.us/pubs/elections/VotingSystems/sys...
| tw04 wrote:
| For early voting reports. Paper ballots are tallied for
| official results.
|
| A vulnerability in the FTP software, which I don't
| believe you've provided any proof was actually exploited
| in the wild during the elections, makes 0 difference to
| official results.
| ficklepickle wrote:
| They never claimed it was exploited in the wild nor that
| it affected the results of the 2020 US election .
| korethr wrote:
| I will elaborate on why _I_ think it 's relevant.
|
| The election infrastructure for much of the country has the
| security of swiss cheese. And this isn't some new thing
| created from whole cloth by Trump supporters; people have
| been raising concern about this for years. Back when Obama
| was up for election, there were news articles about how
| election machines could potentially be tampered with to steal
| the election from Obama. When it was Trump vs Hillary, some
| were concerned the election would be stolen from Hillary, and
| when Trump _was_ elected, insinuations and outright
| accusations were levied that Trump stole the election
| through, amongst other things, election machine tampering.
| And then in this most recent election cycle, we have the
| "Kraken", et. al., which appears to have, in-part, motivated
| the Capitol riot.
|
| Regardless of what you think of the of the truth of the
| accusations, whether in this election cycle, prior ones, or
| future ones, the fact that the underlying (lack-of) security
| lends a plausibility to such accusations is a problem unto
| itself. If elections have or are tampered with by malicious
| agents, foreign or domestic, we do not have free and fair
| elections, and that's a Big Problem. If demagogues can easily
| stir up popular sentiment that the elections are not free and
| fair, that's also a Big Problem. It is the lack of election
| security that amplifies those problems into big ones.
|
| Sure, we can go after entities that try to tamper with
| elections, and we would do well educate ourselves to be able
| to spot demagoguery and misinformation. But we would also do
| quite well to go after underlying problems that make the
| aforementioned problems worse.
| thefreeman wrote:
| That's why the CISA had a huge emphasis on paper backups in
| the election. You can't hack a physical printout which the
| voter verifies themself before scanning.
| ndiscussion wrote:
| The QR code is scanned, not the text on the paper
| printout, as far as I understand
| TrispusAttucks wrote:
| Your right. It's complicated. The sad thing is, it doesn't
| matter. Simpler manufactured narratives will win in the
| future.
| tyingq wrote:
| I poked around on Serv-U's customer testimonials. Lots of US
| Military, White House, various healthcare providers, etc. And
| they include specifics on customers too. Almost a ready made
| hit list. Ouch.
| malux85 wrote:
| Unauthenticated queue, with unsafe deserialisation, running as
| the system account.
|
| Amateur hour
| uncledave wrote:
| That's almost as bad as the time Microsoft ran Defender sandbox
| as LocalSystem. CVE-2017-0290. That one was a massive dose of
| irony in one CVE.
|
| You'd think people would have learned about least privilege by
| now?
| a-dub wrote:
| the serv-u thing looks like a misconfiguration to me. i'd be
| curious how many installs in the wild are actually vulnerable.
| ie.
|
| 1) was there a previous install process that did set correct
| permissions for the access list tree?
|
| 2) did sites secure the access list tree themselves after
| install/security review?
|
| the msmq thing isn't great, but any professionally managed site
| would be protecting/firewalling application level sockets anyhow.
|
| not to say the bugs aren't real, they are, just wondering how
| much exposure they actually open up in the wild when combined
| with basic security hygiene.
| john37386 wrote:
| You can maybe ask shodan?
| https://www.shodan.io/search?query=serv-u
| tyingq wrote:
| Their hotfix seems to acknowledge that the software is
| specifically setting weak ACLs on that C:\Program
| Data\RhinoSoft\Serv-U\Users directory.
|
| You're right that end users should do "2)", but I imagine it's
| pretty common to just run the installer.
| a-dub wrote:
| the name of the previous developer (rhinosoft) of the
| software appears in the directory tree, which would lead me
| to guess that maybe the original installer did set correct
| ACLs but when ported to the new post-acquisition solarwinds
| installer, that was maybe dropped. (just a guess)
|
| i dunno how modern windows admin is done, but the last time i
| worked with it it was common for large sites to use
| deployment automation and do repackaging, even if was less
| sophisticated than what you'd see in unixland.
| DharmaPolice wrote:
| My organisation uses Serv-U. The permissions in our programdata
| folder matches the article (we've not applied the most recent
| Serv-U patch which came out quite recently).
|
| But as the article says you need to be RDP'd to the server
| which for us would be Administrators. Who already have control
| over the server. Also we don't run the service as local system
| just as a regular service account with no admin rights.
|
| So while this is a vulnerability it doesn't seem overly
| critical in our case. If you let non-privileged users RDP to
| your application servers and you're running as local system
| then sure, it's pretty bad.
| john37386 wrote:
| There is a deterrent disclaimer
| https://dvsfileshare.dominionvoting.com/
|
| _Access to this site is for authorized users only! All
| unauthorized use and access will be prosecuted to the fullest
| extent of the law._
|
| I'd be carefull before trying anything on that server.
|
| -edit: Added italic on the disclaimer
| vmception wrote:
| I like when the hackers make complete disc images on docker and
| let people download those
|
| the hacker is the only one with any unauthorized access
| liability and all the other tinkerers have none from what I can
| tell
___________________________________________________________________
(page generated 2021-02-05 23:00 UTC)