Voyager18 (research)

SolarWinds Orion API & Windows DNS are the most visited vulnerabilities on Remedy Cloud

Roy Horev | May 10, 2021

At Vulcan Cyber, we keep our finger on the pulse of the cyber security field and a big part of that is getting a real-time understanding of which vulnerabilities are considered most crucial for the industry at any given time. Based on Q1 2021 visitor statistics for Vulcan Remedy Cloud, SolarWinds Orion API and Windows DNS  are the two vulnerabilities that topped the list as the most visited CVEs. These vulnerabilities have system administrators particularly concerned right now. And with good reason, since either of these vulnerabilities, if exploited, could potentially have major impact on any business affected.

Read on to find out all you need to know to avoid both of these vulnerabilities:

What is the SolarWinds Orion API vulnerability?

SolarWinds Orion is a very popular platform for IT infrastructure management and remote monitoring. As such, the software has a very high access level to customer organization resources and assets. Any hacker identifying and exploiting vulnerabilities in this software would be able to gain access to the same resources and assets, with potentially devastating results.

The SolarWinds Orion API extends the functionality of the platform itself, allowing it to connect and interact with other SolarWinds products.

The SolarWinds Orion API vulnerability CVE-2020-10148 consists of a technique of bypassing authentication within the API, allowing an attacker to perform unauthenticated API commands, compromising security of SolarWinds Orion and leaving organization assets vulnerable.

This vulnerability has a CVSS of 7.5—high severity.

Does the SolarWinds Orion API vulnerability affect me?

To find your SolarWinds Orion product version, check the footer of the Orion Web Console. If the Orion Web Console is not available, follow Resolution #2 or #3 in this SolarWinds document.

You are affected by this vulnerability if you are running one of the following versions of the SolarWinds Orion Platform versions:

  • 2019.4 HF 5, 2020.2 with no hotfix installed
  • 2020.2 HF 1

Later versions of the SolarWinds Orion Platform, specifically versions 2019.4.2, 2020.2.4, and 2020.2.5, have been released specifically to remedy this vulnerability. The team at the CERT Coordination Center at Carnegie-Mellon University have created a python3 script that checks for vulnerable SolarWinds Orion servers.

The following SolarWinds Orion products are known to be affected and should be remediated immediately:

  • Application Centric Monitor (ACM)
  • Database Performance Analyzer Integration Module* (DPAIM*)
  • Enterprise Operations Console (EOC)
  • High Availability (HA)
  • IP Address Manager (IPAM)
  • Log Analyzer (LA)
  • Network Automation Manager (NAM)
  • Network Configuration Manager (NCM)
  • Network Operations Manager (NOM)
  • User Device Tracker (UDT)
  • Network Performance Monitor (NPM)
  • NetFlow Traffic Analyzer (NTA)
  • Server & Application Monitor (SAM)
  • Server Configuration Monitor (SCM)
  • Storage Resource Monitor (SRM)
  • Virtualization Manager (VMAN)
  • VoIP & Network Quality Manager (VNQM)
  • Web Performance Monitor (WPM)

Has the SolarWinds Orion API vulnerability been actively exploited in the wild?

Yes, this vulnerability has led to one of the most severe series of attacks in recent years. Beginning in December 2020, the SUNBURST trojan took advantage of this vulnerability to infiltrate thousands of businesses and government offices, including the Department of Homeland Security (DHS), the State Department, the U.S. Commerce and Treasury Departments, and the National Institutes of Health, leading Microsoft President Brad Smith to call this “the largest and most sophisticated attack the world has ever seen.” 

According to U.S. intelligence, the attacks were sponsored by a Russian-sponsored actor in order to collect intelligence, though Russia has denied the charge. Another exploit, known as SUPERNOVA, was also discovered around the same time.

How do I remediate the SolarWinds Orion API vulnerability?

Recommended solution: Full upgrade

Interim solution: Mitigation

If for some reason a full upgrade is not possible (For instance, mission-critical demand for system availability precludes any downtime.), SolarWinds has provided a mitigation script for temporary use:

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also released a command-line tool, called CHIRP, to search for indicators of compromise related to the SolarWinds Orion API vulnerability.

What is the Windows DNS server remote code execution vulnerability?

This vulnerability has a CVSS of 10—critical severity.

A remote code execution (RCE) vulnerability is one which, if exploited, would allow an intruder to bypass authentication and perform high-level actions on the server. If exploited, RCE vulnerabilities can lead to total loss of control over the system as well as data leakage or loss.

The Windows DNS server remote code execution vulnerability CVE-2020-1350, also known as SigRED, is a RCE vulnerability that applies to domain name servers running on the Windows Server platform.

Due to the fact that DNS is a foundational and highly connected technology, along with the “wormable” nature of this vulnerability (meaning that it has the ability to spread malware directly from computer to computer without human interaction), this vulnerability has been assigned a critical severity ranking and should be remediated as soon as possible.

Does the Windows DNS server remote code execution vulnerability affect me?

Probably not. Microsoft has been quick to reassure customers that this vulnerability is only applicable to Windows Servers that are running in DNS mode. Windows DNS client is unaffected.

Since most businesses do not run their own DNS servers, or use other OSes besides Windows for their DNS servers, the majority of organizations will not be affected by this vulnerability. However, it does apply to both internal and external DNS servers.

The following Windows Server versions are affected by this vulnerability:

  • Windows Server version 2004
  • Windows Server version 1909
  • Windows Server version 1903
  • Windows Server version 1803
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008 R2
  • Windows Server 2008

Has the Windows DNS server remote code execution vulnerability been actively exploited in the wild?

Not yet. This is probably due to the relatively small number of organizations using the Windows Server platform in DNS server mode. However, Microsoft has rated this vulnerability “Exploitation More Likely” on its Exploitability Index. This means that:

  • An attack is possible.
  • There have been past attacks based on similar vulnerabilities.
  • It is an attractive target for attackers.

How do I remediate the Windows DNS server remote code execution vulnerability?

Recommended solution: Full upgrade

The full upgrade that resolves this vulnerability was included in December’s monthly rollup (Patch Tuesday). To fully remediate this vulnerability, immediately implement the patches released by Microsoft.

Interim solution: Mitigation

If a full upgrade is impossible, Microsoft has released a temporary workaround. This involves a basic modification to a registry key followed by a reboot and will provide a temporary defense against this vulnerability until your organization can perform a full upgrade. However, they warn that the workaround may interfere with other key server functions. Be sure to fully back up your registry before attempting this workaround.

Keep up with emerging vulnerabilities. Get free access to thousands of vulnerabilities and get fix done with Remedy Cloud.

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy