---
licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0)
licence_link: https://creativecommons.org/licenses/by/4.0/
licence_restrictions: https://cert.europa.eu/legal-notice
licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies
title: 'Critical Vulnerabilities in SolarWinds Orion Platform'
version: '1.0'
number: '2021-008'
date: 'February 4, 2021'
---

# Summary

Three critical vulnerabilities have been found in **SolarWinds Orion** platform. Two of them could be exploitable by a local attacker and a third one, the most severe of all, allows a remote, unprivileged actor to take control of the platform [1, 2]. These vulnerabilities are separate and not directly related to the earlier reported Sunburst attack.

# Technical Details

The vulnerabilities were assigned **CVE-2021-25274** [3], **CVE-2021-25275** [4], and **CVE-2021-25276** [5].

## **CVE-2021-25274**

Analysing a demo copy of the **SolarWinds Orion** software, the researcher from Trustwave [2] noticed that it uses the Microsoft Message Queue (MSMQ). He noticed that the **SolarWinds Orion Collector** service relies heavily on MSMQ, with a large list of private queues available, all of them unauthenticated. This means that unauthenticated users can send messages to the queues over TCP port 1801. Due to an insecure deserialisation, an unprivileged user can execute arbitrary code remotely.

**SolarWinds** addressed this issue by adding a digital signature validation step when new messages arrive. Without a valid signature, messages are no longer processed. MSMQ, though, remains unauthenticated and can receive messages from anyone.

## **CVE-2021-25275**

The second vulnerability discovered was that the credentials for the **Orion** backend database were insufficiently protected and local users had unrestricted access to them. The researcher found the sensitive data in the `SOLARWINDS_ORION` configuration file that could be read by locally authenticated users. With only one line of code, the researcher decrypted the credentials.

After authenticating to the Microsoft SQL Server with the recovered credentials, a threat actor would have complete control over the **SolarWinds Orion** database and could steal information or add admin-level users.

## **CVE-2021-25276**

The third vulnerability is in the **SolarWinds Serv-U FTP Server**. The researcher discovered that the accounts are stored in separate files on the disk and that an authenticated user has access to them. The FTP server runs with LocalSystem permissions, so by creating an admin account, an attacker could set the home directory to the root of the system drive and thus open the door to read or replace any file there.

# Affected Products

* SolarWinds Orion Platform

# Recommendations

**SolarWinds** released patches that address the vulnerabilities described in this advisory.

CERT-EU recommends installing **Orion Platform 2020.2.4** [6] and applying **Hotfix 1 for ServU-FTP 15.2.2** [7].

# References

[1] <https://www.bleepingcomputer.com/news/security/solarwinds-patches-critical-vulnerabilities-in-the-orion-platform/>

[2] <https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities/>

[3] <https://nvd.nist.gov/vuln/detail/CVE-2021-25274>

[4] <https://nvd.nist.gov/vuln/detail/CVE-2021-25275>

[5] <https://nvd.nist.gov/vuln/detail/CVE-2021-25276>

[6] <https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/release_notes/orion_platform_2020-2-4_release_notes.htm>

[7] <https://downloads.solarwinds.com/solarwinds/Release/HotFix/Serv-U-15.2.2-Hotfix-1.zip>