Researchers said Wednesday they've identified three severe but unexploited vulnerabilities in products sold by SolarWinds, a
company still reeling from the aftermath of a major hacking campaign. The newly revealed vulnerabilities have been patched and aren't related to the March 2020 breach, which has been blamed on Russian intelligence.
Researchers at Trustwave, the cybersecurity firm that discovered the new vulnerabilities, didn't go into technical detail about how the hackers would have exploited the flaws. Hackers have likely been looking for ways to exploit SolarWinds software, which is installed on hundreds of systems run by federal, state and local government agencies, as well as private companies, since the initial breach was discovered.
"Given the heavy focus on SolarWinds, it's really important that people pay attention to these patch cycles," said Karl Sigler, who heads the responsible disclosure of software flaws at Trustwave. The company will provide more details about the flaws on Feb. 9.
SolarWinds said in a statement that the flaws were patched in January, adding, "Vulnerabilities of varying degrees are common in all software products, but we understand that there is heightened scrutiny on SolarWinds right now."
The worst of the new flaws could have allowed attackers to run their own code on systems using User Device Tracker, software that runs on SolarWinds' Orion platform to monitor devices running on an organization's network. Doing so could have offered hackers the chance to install surveillance software or malicious code that gave them access to the system whenever they wanted. Most worryingly, the flaw could have been exploited remotely without access to a victim's internal systems.
Another flaw could have let hackers take control of the Orion program on a victim's systems, accessing files stored there. A third flaw could have given bad actors full access to files on a victim's computer or server through SolarWinds' ServU-FTP product, which helps customers manage access to large collections of computer files.
These two flaws would have required attackers to be logged into the server running the software from inside the victim's network before exploiting the vulnerabilities, so they would have been harder to put to use. If hackers stole a legitimate user's passwords with a phishing attack, for example, they could potentially have used it to exploit the bugs.
SolarWinds' statement reads in full:
"Vulnerabilities of varying degrees are common in all software products, but we understand that there is heightened scrutiny on SolarWinds right now. The vulnerabilities announced by Trustwave concerning Orion 2020.2.4 have been addressed via a fix released on Jan 25, 2021. The vulnerabilities concerning Serv-U 115.2.2 have been addressed via fixes released on Jan 21 and 22, 2021.
"Following the recent nation-state attack against an array of American software providers, including SolarWinds, we have been collaborating with our industry partners and government agencies to advance our goal of making SolarWinds the most secure and trusted software company.
"We have always been committed to working with our customers and other organizations to identify and remediate any vulnerabilities across our product portfolio in a responsible way. Today's announcement aligns with this process."