Advisories

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates above to be notified as soon as we publish an advisory.

6:35pm, 14 December 2020

TLP Rating: White

What's happening

Systems affected

SolarWinds has stated the vulnerability affects users of Orion versions:

  • 2019.4 HF 5
  • 2020.2 – 2020.2 HF 1

This affects the following products:

  • Application Centric Monitor (ACM)
  • Database Performance Analyzer Integration Module (DPAIM)
  • Enterprise Operations Console (EOC)
  • High Availability (HA)
  • IP Address Manager (IPAM)
  • Log Analyzer (LA)
  • Network Automation Manager (NAM)
  • Network Configuration Manager (NCM)
  • Network Operations Manager (NOM)
  • Network Performance Monitor (NPM)
  • NetFlow Traffic Analyzer (NTA)
  • Server & Application Monitor (SAM)
  • Server Configuration Monitor (SCM)
  • Storage Resource Monitor (SCM)
  • User Device Tracker (UDT)
  • Virtualization Manager (VMAN)
  • VoIP & Network Quality Manager (VNQM)
  • Web Performance Monitor (WPM)

What this means

This vulnerability introduces backdoor remote execution access to servers running the vulnerable versions. A sophisticated threat actor has been using this access to compromise networks and exfiltrate data, with high-profile compromises reported in the United States. The nature of this vulnerability means any organisation using these versions could be affected or is likely vulnerable to exploitation.

What to look for

How to tell if you're at risk

You are affected by this vulnerability if you are using SolarWinds Orion products listed above, running versions:

  • 2019.4 HF 5
  • 2020.2 – 2020.2 HF 1

How to tell if you're affected

The compromised Orion service beacons to a command and control server, which will be a unique subdomain of avsvmcloud[.]com. If there is existence of this in your network logs you should report immediately to CERT NZ.

What to do

Prevention

CERT NZ recommends that you immediately isolate any Orion server from the network and apply the hotfix, released by SolarWinds:

  • Orion Platform version 2019.4 HF 6
  • Orion Platform version 2020.2.1 HF 2

CERT NZ strongly recommends that users of the affected versions rebuild servers now that the patches are available.

In addition to patching, CERT NZ recommends taking additional measures, including:

  • changing passwords of all accounts accessible to Orion servers
  • analysing all configuration for network devices managed by the Orion platform for alteration.

Organisations should consider the impacts and applicability of these steps on their specific network operations prior to implementing these mitigations.

CERT NZ will be revising this advisory as more information becomes available.

Mitigation

If you have concerns about a possible compromise of your network via this vulnerability, we encourage you to report it to us via www.cert.govt.nz/report External Link  immediately.

More information