Breach, Data Security, Vulnerability Management

New, critical vulnerability discovered that could let attackers gain entry to SolarWinds systems

The Chinese espionage group Spiral twice exploited an internet-facing SolarWinds server in 2020, according to researchers from the Secureworks Counter Threat Unit. ("SolarWinds letters" by sfoskett at is licensed under CC BY-NC-SA 2.0)

Researchers from Trend Micro found two remote code execution (RCE) vulnerabilities – one of them critical – that could allow an attacker to take over SolarWinds Orion systems.

Trend Micro’s Zero Day Initiative (ZDI) team, which has worked closely with SolarWinds to help security teams respond to the massive hack, said the severity score of the second RCE was rated “high” as opposed to critical. 

“The vulnerabilities reported by the ZDI could allow a remote attacker to take over an affected SolarWinds system,” said Brian Gorenc, senior director of vulnerability research for Trend Micro and ZDI lead. “These are significant vulnerabilities and the patches should be tested and deployed as soon as they become available.”

In the case of the critical RCE, Gorenc said the specific flaw exists within the OneTimeJobSchedulerEventsService Windows Communication Foundation (WCF) service. He said the issue results from a lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. Gorenc said an attacker can leverage this vulnerability to escalate privileges and execute arbitrary code. In essence, the attacker can take any action the System account can take.

“Once they have System, they can pretty much own the box,” said Gorenc. “However, an attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability.”

For the second RCE, the specific flaw exists within the JobRouterService WCF service. Gorenc said it was caused by the WCF service configuration, which lets a critical resource get accessed by unprivileged users. Attackers can leverage this vulnerability to execute code in the context of an administrator. An attacker also requires authentication to exploit this vulnerability.

“SolarWinds Orion customers might already be in a precarious, vulnerable situation,” said Yaniv Bar-Dayan, co-founder and CEO at Vulcan Cyber. “Exploits have occurred, known vulnerabilities have been disregarded and many cyber security and IT operations teams are still cleaning up. We highly suggest remediation of previous Orion vulnerabilities first, implement all needed compensating controls, re-configure systems as necessary and then upgrade to the Orion Platform 2020.2.5 release as soon as possible to protect against this RCE.”

Joseph Carson, chief security scientist and Advisory CISO at Thycotic, said the latest findings are not surprising, especially after the recent highly-visible serious security incident experienced by SolarWinds. 

“When there are so many security professionals paying full attention to your company and software, it will only help uncover additional security vulnerabilities,” Carson said. “The RCE identified by ZDI Trend Micro is certainly a concern and critical, however, it does require an authenticated user to exploit it. This highlights the importance of protecting privileged users with a strong privileged access security solution that will make it harder for cybercriminals to easily abuse such exploits.”

Charles Ragland, security engineer at Digital Shadows, added that the critical RCE discovered by ZDI would let an attacker leverage JSON deserialization. Serialization lets security pros turn something into a data format to restore it at a later point in time.

“Deserialization is essentially the reverse of that process,” Ragland said. “Creating a crafted payload to be deserialized server-side, you can cause a variety of unintended effects, including RCE. In this instance, someone who has gained access to an Orion server as an authenticated user could trigger this via the test alert action. Orion has become a popular platform for IT administration, and performing arbitrary code execution on that system could provide an attacker with a plethora of opportunities to move laterally, exfiltrate data, or perform destructive actions.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.