Last updated at Mon, 12 Apr 2021 15:48:17 GMT
On Thursday, March 25, 2021, SolarWinds released fixes for four new vulnerabilities in their Orion platform, the most severe of which is an authenticated remote code execution flaw due to a JSON deserialization weakness. Fixes for these weaknesses are in Orion Platform 2020.2.5.
Given the attention attackers have paid to SolarWinds Orion in the past 4+ months, Rapid7 urges affected organizations to prioritize patching within an accelerated patch window if possible, and at the very least within the 30-day window if you are following the typical 30-60-90 day patch criticality cadence.
InsightVM and Nexpose customers can assess their exposure to these CVEs with authenticated vulnerability checks.
Vulnerability details
The Rapid7 vulnerability research team is investigating the following four new flaws in the Orion platform:
- The most critical vulnerability — an authenticated remote code execution weakness via Actions and JSON Deserialization lies within the test alert actions and has no assigned CVE identifier as of March 26, 2021. The “test alert actions” functionality is a way for Orion users to test network-level event triggers that can be set up to send alerts. While exploitation requires non-administrative-level authentication, recent history has shown that this does not seem to thwart sophisticated attackers all that much.
- The second remote code authentication weakness in the SolarWinds Orion Job Scheduler also requires authentication via non-administrative-level credentials and provides successful attackers with Administrator-level execution privileges on targeted systems. This, too, has no assigned CVE but has been rated as high by SolarWinds.
- CVE-2021-3109 is a reverse tabnabbing and open redirect flaw discovered by researcher Jhon Jaro. The weakness exists in a custom menu item options page requires an Orion administrator account for successful exploitation.
- CVE-2020-35856 is a stored cross-site scripting (XSS) vulnerability also discovered by researcher Jhon Jarow and exists in the “add custom tab within customize view page”. This last vulnerability also requires Orion administrator account for successful exploitation.
Rapid7 will update this blog post if there are any updates to the disclosed vulnerabilities without assigned CVEs or any attacker activity is discovered.
Other Orion Platform Improvements
While you should apply the update just to fix the known, exploitable flaws, SolarWinds also made some further security improvements in the 2020.2.5 release:
- Further cross-site scripting prevention improvements and many related fixes.
- Communication channel improvements for internal SolarWinds services.
- The Orion DB Manager now uses user-access control (UAC) protection
- AngularJS & MomentJS JavaScript browser libraries have both been upgraded to 1.8.0 and 2.29.1, respectively.
These enhancements should provide further incentive to update your Orion platform to the latest release.