Security News > 2021 > February > SolarWinds patches critical vulnerabilities in the Orion platform

SolarWinds patches critical vulnerabilities in the Orion platform
2021-02-03 11:19

Even with the security updates prompted by the recent SolarWinds Orion supply-chain attack, researchers still found some glaring vulnerabilities affecting the platform, one of them allowing code execution with top privileges.

The vulnerabilities have been discovered and reported to SolarWinds by Martin Rakhmanov, Security Research Manager, SpiderLabs at Trustwave, and have proof-of-concept exploit code available.

The researcher did not publish the demo code with the report today to give users longer time to install the official patches from SolarWinds.

Analyzing a demo copy of the SolarWinds Orion software, Rakhmanov noticed that it uses the Microsoft Message Queue technology and started to poke around.

The researcher found the sensitive data in the SOLARWINDS ORION configuration file that could be read by locally authenticated users.

Trustwave's SpiderLabs started to disclose the vulnerabilities to SolarWinds on December 30, 2020, and by January 25, 2021, the software maker had rolled out patches for all of them.


News URL

https://www.bleepingcomputer.com/news/security/solarwinds-patches-critical-vulnerabilities-in-the-orion-platform/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Solarwinds 44 0 80 95 40 215