SolarWinds ‘Supply Chain Attack’ (a.k.a. SUNBURST)

Resnofendri
Flexera
Flexera
4 0 354

Editorial notes: This is a crosspost from the original posts which can be found on Data Platform Blog or Software Vulnerability Management Blog.

 

Notes: this article is about a current event which is still highly evolving. We encourage customers to revisit as we update the article as things continue to change. 


Recently, the world received notice of a far-reaching intrusion campaign, potentially affecting thousands of companies and organizations—some of which are government organizations. The malicious code, referred to as "SUNBURST", is aiming at heavily obfuscating its presence (Trojan Horse) to allow lateral movement further into the infrastructure and the gathering of data to be transferred to third-parties. Such a breach has far reaching consequences, requiring quick action and a sophisticated response to ensure that breached networks and systems become secure once again.

More details will still reach the surface in the weeks and months ahead, but so far, we know that certain updates of the SolarWinds Orion Platform, which is the current base for many further products like the SolarWinds Network Performance Monitor, had been tainted to distribute a back door through a certain library. This library is usually an inconspicuous plugin used in the Orion Platform product, however, in this case it carried a malicious payload introduced through a so-called supply-chain attack.

Various teams across different Flexera solutions, namely Data Platform (DP) and Software Vulnerability Management (SVM), have been working overtime to ensure that our customers get immediate visibility on the impact of this and other vulnerabilities.

 

Data Platform and/or Technopedia

As of December 16, 2020, customers can expect to see:

  • all impacted SolarWinds products and/or releases are captured in Technopedia
  • any existing discovered data (a.k.a. evidence) that maps to the impacted products and/or release are recognized. Note that any new evidence that customers bring in their inventory may still need to go through the gap-fill process.
  • if the entitlement to InfoSec Content Pack is active:
    • impacted products will be identified
      • any CPE’s associated with the impacted products and/or releases are linked
    • up-to-date Secunia Advisory information linked to the available CPE’s is provided 

In the future, customers can expect to see:

  • CVE references associated with the vulnerabilities. The publication is dependent upon review/approval by the National Vulnerability Database (NVD). The CVE’s are currently in the ‘’reserved” status, Technopedia updates the CVE content on a daily basis.
  • threat intelligence associated with the advisory (as provided by Flexera’s Secunia Research)
    • The score associated with our security advisory today is lower than expected due to a missing CVE reference which we anticipate will be addressed shortly


IT Visibility

IT Visibility customers can expect to see any detected installations of impacted SolarWinds products and/or releases in their inventory, providing the evidence already exists in our recognition library. Any net new evidence may still need to go through the gap-fill process.

The capability to show the vulnerability information, however, is not currently available in IT Visibility. This is something that we’re actively working on to make available in the first half of 2021.

 

FlexNet Manager Suite (FNMS)

Similar to IT Visibility, FNMS customers can also expect to see SolarWinds applications which are potentially impacted by this attack. Given the fact that applications granularity in FNMS is captured only at the major.minor version, further investigation may be needed to identify the subset of installations in their inventory with the exact build and/or patch levels. 

 

Software Vulnerability Management (SVM), including Software Vulnerability Research (SVR)

As of December 16, 2020, SVR customers can expect to see:

  • up-to-date Secunia Advisory which contains detail information on the vulnerabilities, including the solutions/patches and available CPEs
  • highlight of the Secunia Advisory as part of the 0-day (Zero Day) module

In the future, SVM customers can expect to see:

  • impacted software products and/or versions being detected in their inventory.
    • We are working to obtain the vulnerable products required to create file signatures. If you are aware of a customer that is impacted and is seeking detection, please have them submit a request through the normal software suggestion process which will help us to get the details necessary.
  • CVE’s associated with the vulnerabilities as they are being published by a trusted source (for example, the vendor SolarWinds or MITRE)
  • threat intelligence information associated with the vulnerabilities (as they are being released by our resources)
    • The score associated with our Secunia Advisory today is lower than expected due to a missing CVE reference which we anticipate will be addressed shortly

 

Appendix


List of impacted SolarWinds products and/or releases:

  • SolarWinds Network Performance Monitor 2019.x
  • SolarWinds Network Performance Monitor 2020.x
  • SolarWinds Orion Platform 2019.x
  • SolarWinds Orion Platform 2020.x

 

List of associated Secunia Advisories:

  • SA99447: SolarWinds Orion Platform / Network Performance Monitor Multiple Vulnerabilities
  • SA99535: SolarWinds N-Central / Multiple Vulnerabilities (not related to SUNBURST)

 

List of available, impacted CPEs:

  • cpe:/a:solarwinds:orion_network_performance_monitor:2019.4:hotfix2
  • cpe:/a:solarwinds:orion_platform:2019.4:-
  • cpe:/a:solarwinds:orion_platform:2020.2:-
  • cpe:/a:solarwinds:orion_platform:2020.2.1:-

 

List of associated CVEs:

(will be updated as soon as we received data from trusted resources. Please check back for any future updates.)