Rewterz Threat Alert – SystemBC/BuerLoader Malware Fetches Cobalt Strike Post Infection
February 4, 2021Rewterz Threat Advisory – Linux Kernel privilege escalation
February 8, 2021Rewterz Threat Alert – SystemBC/BuerLoader Malware Fetches Cobalt Strike Post Infection
February 4, 2021Rewterz Threat Advisory – Linux Kernel privilege escalation
February 8, 2021Severity
High
Analysis Summary
Three severe security vulnerabilities impacting SolarWinds products are found. The most severe of these could be exploited to achieve remote code execution with elevated privileges.
CVE-2021-25274
This flaw allows remote code execution by remote, unprivileged users through combining two issues. Given that the message processing code runs as a Windows service configured to use LocalSystem account, attacker will have complete control of the underlying operating system.
CVE-2021-25275
Unprivileged users who can log in to the box locally or via RDP will be able to run decrypting code and get a cleartext password for the SolarWindsOrionDatabaseUser. The next step is to connect to the Microsoft SQL Server using the recovered account, and at this point, attackers will have complete control over the SOLARWINDS_ORION database. From here, one can steal information or add a new admin-level user to be used inside SolarWinds Orion products.
CVE-2021-25276
This flaw was found in the company’s Serv-U FTP server for Windows. The accounts are stored on disk in separate files. Directory access control lists allow complete compromise by any authenticated Windows user. Specifically, anyone who can log in locally or via Remote Desktop can just drop a file that defines a new user, and the Serv-U FTP will automatically pick it up. Next, since we can create any Serv-U FTP user, it makes sense to define an admin account by setting a simple field in the file and then set the home directory to the root of C:\ drive. Now we can log in via FTP and read or replace any file on the C:\ since the FTP server runs as LocalSystem.
None of the three security issues have been exploited in the unprecedented supply chain attack targeting the Orion Platform that came to light last December.
Impact
- Remote Code Execution
- Privilege Escalation
- Full System Control
Affected Vendors
SolarWinds
Affected Products
Orion Platform and Serv-U FTP
Remediation
It’s highly recommended that users install the latest versions of Orion Platform and Serv-U FTP (15.2.2 Hotfix 1) to mitigate the risks associated with the flaws.