6:35pm, 14 December 2020
SolarWinds Orion vulnerability being actively exploited - updated advisory
UPDATE: 21 December 2020 at 2.45pm:
CISA (US Cybersecurity and Infrastructure Security Agency) have updated their alert (AA20-352A) to include additional Indicators of Compromise (IoCs) and further mitigation advice – see the 'more information' section for the link.
Further updates have been made to the 'how to tell if you're affected' section, see details below.
UPDATE: 17 December 2020 at 1.55pm:
The latest hotfix released by SolarWinds is now available - see details below.
UPDATE: 15 December 2020 at 4.00pm:
New updates below which include more details on the vulnerable SolarWinds Orion systems and products affected as well as links to the latest version of the hotfix. In addition, FireEye has published a list of IoCs and detection rules - see the more details section for the link.
CERT NZ is aware a critical vulnerability in the SolarWinds Orion network management platform is being actively exploited by a sophisticated threat actor. CERT NZ understands this is the same vector used in high-profile compromises, like the security firm FireEye.
SolarWinds has released a hotfix patch to mitigate this vulnerability, and will release an additional hotfix, expected Wednesday 16 December (New Zealand Time). Following discussions with our international partners, CERT NZ is advising organisations using the versions detailed below to consider isolating these servers immediately and making sure no internet egress is permitted until the servers can be patched and secured.
Organisations need to carefully assess the applicability of this guidance based on their network configuration and dependencies.
SolarWinds has stated the vulnerability affects users of Orion versions:
- 2019.4 HF 5
- 2020.2 – 2020.2 HF 1
This affects the following products:
- Application Centric Monitor (ACM)
- Database Performance Analyzer Integration Module (DPAIM)
- Enterprise Operations Console (EOC)
- High Availability (HA)
- IP Address Manager (IPAM)
- Log Analyzer (LA)
- Network Automation Manager (NAM)
- Network Configuration Manager (NCM)
- Network Operations Manager (NOM)
- Network Performance Monitor (NPM)
- NetFlow Traffic Analyzer (NTA)
- Server & Application Monitor (SAM)
- Server Configuration Monitor (SCM)
- Storage Resource Monitor (SCM)
- User Device Tracker (UDT)
- Virtualization Manager (VMAN)
- VoIP & Network Quality Manager (VNQM)
- Web Performance Monitor (WPM)
What this means
This vulnerability introduces backdoor remote execution access to servers running the vulnerable versions. A sophisticated threat actor has been using this access to compromise networks and exfiltrate data, with high-profile compromises reported in the United States. The nature of this vulnerability means any organisation using these versions could be affected or is likely vulnerable to exploitation.
What to look for
How to tell if you're at risk
You are affected by this vulnerability if you are using SolarWinds Orion products listed above, running versions:
- 2019.4 HF 5
- 2020.2 – 2020.2 HF 1
How to tell if you're affected
The compromised Orion service beacons to a command and control server, which will be a unique subdomain of avsvmcloud[.]com. If there is existence of this in your network logs you should report immediately to CERT NZ.
What to do
CERT NZ recommends that you immediately isolate any Orion server from the network and apply the hotfix, released by SolarWinds:
- Orion Platform version 2019.4 HF 6
- Orion Platform version 2020.2.1 HF 2
CERT NZ strongly recommends that users of the affected versions rebuild servers now that the patches are available.
In addition to patching, CERT NZ recommends taking additional measures, including:
- changing passwords of all accounts accessible to Orion servers
- analysing all configuration for network devices managed by the Orion platform for alteration.
Organisations should consider the impacts and applicability of these steps on their specific network operations prior to implementing these mitigations.
CERT NZ will be revising this advisory as more information becomes available.
If you have concerns about a possible compromise of your network via this vulnerability, we encourage you to report it to us via www.cert.govt.nz/report External Link immediately.
SolarWinds’ security advisoryExternal Link External Link
CISA’s Alert AA20-352AExternal Link External Link
The Department of Homeland Security’s Emergency Directive 21-01External Link External Link
FireEye’s write up of the vulnerability and post-compromise activityExternal Link External Link
FireEye’s detection rulesetsExternal Link External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at firstname.lastname@example.org or call the MBIE media team on 027 442 2141.