Researchers at Trustwave reported three new vulnerabilities in SolarWinds products – the latest hurdle for the first company linked to a massive espionage campaign that breached government agencies and private sector firms.
The vulnerabilities, which have been already been patched, included a remote code execution flaw in Orion that required only network access. That flaw allows hackers to use an improperly installed Microsoft Messaging Queue to send commands for a server to execute.
Two other vulnerabilities require local access. One flaw in SolarWinds Serv-U FTP allows users to grant themselves read and write access, while a second flaw in Orion stemmed from insecurely stored credentials guarding the SOLARWINDS_ORION database.
Trustwave reported the vulnerabilities Dec. 29 to SolarWinds, which included the patch in an update last week. Anyone with that update is protected.
SolarWinds, a widely used network management vendor, was the first of a handful of firms leveraged in supply chain attacks that the U.S. government linked to the Russian government. On Tuesday, Reuters reported that Chinese intelligence also used SolarWinds vulnerabilities during their own espionage activity.
"We definitely found these because there's more interest in SolarWinds," said Karl Sigler, senior research manager at Trustwave's SpiderLabs, cautioned people against drawing too much from the disclosure. "If we give our researchers any product they will find a vulnerability."
Sigler expects a surge of both researchers and criminals looking at the company as a result of the publicity, which inevitably will lead to more vulnerabilities being found. Trustwave (and, Sigler expects, other groups) turned their attention to SolarWinds after learning of the breach.
"I would love to say that as soon as the patch came out, everyone would update," said Sigler. "It would not be true. It probably wouldn't even be true about the update after the breach."
Even though he does not believe the disclosures should reflect on the quality of SolarWinds code, Sigler said all products within supply chains will have to adapt to the new reality that began after the SolarWinds breaches were discovered. Indeed, SC Media reported last week about software company executives ordering sweeping new assessments of their products, looking for any signs of suspicious activity, code anomalies, or exploits.
"Soon, all companies are going to have to provide proof of due diligence in securing their code," Sigler said.