Three severe security vulnerabilities impacting SolarWinds products are found. The most severe of these could be exploited to achieve remote code execution with elevated privileges.
This flaw allows remote code execution by remote, unprivileged users through combining two issues. Given that the message processing code runs as a Windows service configured to use LocalSystem account, attacker will have complete control of the underlying operating system.
Unprivileged users who can log in to the box locally or via RDP will be able to run decrypting code and get a cleartext password for the SolarWindsOrionDatabaseUser. The next step is to connect to the Microsoft SQL Server using the recovered account, and at this point, attackers will have complete control over the SOLARWINDS_ORION database. From here, one can steal information or add a new admin-level user to be used inside SolarWinds Orion products.
This flaw was found in the company’s Serv-U FTP server for Windows. The accounts are stored on disk in separate files. Directory access control lists allow complete compromise by any authenticated Windows user. Specifically, anyone who can log in locally or via Remote Desktop can just drop a file that defines a new user, and the Serv-U FTP will automatically pick it up. Next, since we can create any Serv-U FTP user, it makes sense to define an admin account by setting a simple field in the file and then set the home directory to the root of C:\ drive. Now we can log in via FTP and read or replace any file on the C:\ since the FTP server runs as LocalSystem.
None of the three security issues have been exploited in the unprecedented supply chain attack targeting the Orion Platform that came to light last December.
Orion Platform and Serv-U FTP