13 Dec 2020
CERT NZ has published new updates which include more details on the vulnerable SolarWinds Orion systems and products affected as well as links to the latest version of the hotfix.
New updates from CERT NZ include more details on the vulnerable SolarWinds Orion systems and products affected as well as links to the latest version of the hotfix. In addition, FireEye has published a list of Indicators of Compromise (IoCs) and detection rules - see the more details section for the link.
CERT NZ is aware of a critical vulnerability in the SolarWinds Orion network management platform is being actively exploited by a sophisticated threat actor. CERT NZ understands this is the same vector used in high-profile compromises, like the security firm FireEye.
SolarWinds has released a hotfix patch to mitigate this vulnerability and will release an additional hotfix, expected Wednesday 16 December (New Zealand Time). Following discussions with our international partners, CERT NZ is advising organisations using the versions detailed below to consider isolating these servers immediately and making sure no internet egress is permitted until the servers can be patched and secured.
Organisations need to carefully assess the applicability of this guidance based on their network configuration and dependencies
SolarWinds has stated the vulnerability affects users of Orion versions:
This affects the following products:
This vulnerability introduces backdoor remote execution access to servers running the vulnerable versions. A sophisticated threat actor has been using this access to compromise networks and exfiltrates data, with high-profile compromises already being reported in the United States. An organisation using these versions could be affected or is likely vulnerable to exploitation.
CERT NZ recommends that you immediately isolate any Orion server from the network and apply the hotfix, released by SolarWinds:
For the 2020 platform version, immediately apply the subsequent hotfix when available:
CERT NZ strongly recommends that users of the affected versions rebuild servers once the 2020.2.1 HF 2 patch is available.
In addition to patching, CERT NZ recommends taking additional measures, including:
Organisations should consider the impacts and applicability of these steps on their specific network operations prior to implementing these mitigations.
CERT NZ will be revising this advisory as more information becomes available.