SolarWinds Orion¶à¸ö°²È«·ì϶

°ä²¼¹¦·ò 2021-02-04

0x00 ·ì϶¸ÅÊö

È¥Ä꣬SolarWinds¹©¸øÁ´¹¥»÷ÊÂÎñÒý·¢È«Çò¹Ø×¢¡£

2021Äê02ÔÂ03ÈÕ£¬SolarWinds Orionƽ̨ºÍSolarWinds Serv-U FTP·þÎñÆ÷±»Åû¶´æÔÚ¶à¸ö°²È«·ì϶¡£SolarWinds Orionƽ̨¹©¸øÁ´¹¥»÷ÊÂÎñÖÐûÓÐÀûÓÃÕâЩ·ì϶¡£Ä¿Ç°£¬Óйطì϶ÒѾ­È«Êý½¨¸´£¬µ«×êÑÐÈËÔ±°µÊ¾£¬ÕâЩ·ì϶µÄPoC½«ÓÚ02ÔÂ09ÈÕ°ä²¼¡£

 

0x01 ·ì϶ÏêÇé

image.png

 

±¾´ÎÅû¶µÄ·ì϶ÈçÏ£º

²úÆ·

CVE

ÀàÐÍ

ÆÀ¼¶

SolarWinds   Orionƽ̨

CVE-2021-25274

RCE

¸ßΣ

CVE-2021-25275

ÐÅϢй¶

ÖÐΣ

SolarWinds   Serv-U FTP·þÎñÆ÷

CVE-2021-25276

½Ó¼û½ÚÔì²»µ±

ÖÐΣ

 

SolarWinds OrionÔ¶³Ì´úÂëÖ´Ðзì϶£¨CVE-2021-25274£©

SolarWinds Collector Service ʹÓà MSMQ£¨MicrosoftÐÂÎŶÓÁУ©£¬µ«²¢ÇÒδÔÚÆäרÓöÓÁÐÉÏÉèÖÃȨÏÞ£¬Î´¾­Éí·ÝÑéÖ¤µÄÔ¶³Ì¹¥»÷ÕßÄܹ»Í¨¹ýTCP¶Ë¿Ú1801½«¶ñÒâÐÂÎÅ·¢Ë͵½¶ÓÁУ¬ÔÚ´¦ÖôËÀàÐÂÎÅʱ£¬ÍøÂçÆ÷·þÎñ½«ÒÔ²»°²È«µÄ·½Ê½·´ÐòÁл¯ËüÃÇ£¬´Ó¶øÔÊÐíÔ¶³Ì¹¥»÷ÕßÒÔLocalSystemµÄ·½Ê½Ô¶³ÌÖ´ÐÐËÁÒâ´úÂ룬×îÖÕµ¼Ö·þÎñÆ÷±»ÆëÈ«½ÚÔì¡£

image.png

SolarWindsͨ¹ýÔÚÐÂÐÂÎŴﵽʱÔö³¤Êý×ÖÊðÃûÑéÖ¤À´½¨¸´ÁË´Ë·ì϶£¬ÔÚûÓÐÓÐЧµÄÊðÃûµÄÇé¿öϽ«²»ÔÙ´¦ÖÃÐÂÎÅ£¬µ«MSMQÒÀÈ»ÊÇδ¾­Éí·ÝÑéÖ¤µÄ£¬Äܹ»½Ó¹ÜÀ´×ÔÈκÎÈ˵ÄÐÂÎÅ¡£

 

SolarWinds OrionÃô¸ÐÐÅϢй¶·ì϶£¨CVE-2021-25275£©

SolarWinds Orionºó¶ËÊý¾Ý¿âSOLARWINDS_ORIONÖеĴ洢ƾ֤±»·ÅÔÚÒ»¸ö·ÇÖÎÀíÔ±Óû§¿É¶ÁµÄÎļþÖУ¬µ¼ÖÂÈκÎÄܹ»½Ó¼ûÎļþϵͳµÄÓû§¶¼Äܹ»´Ó¸ÃϵͳÖжÁÈ¡OrionÊý¾Ý¿âµÄµÇ¼ÐÅÏ¢£¬²¢ÇÒ¿ÉʹÓÃƾ֤À´»ñµÃOrionÊý¾Ý¿âµÄËùÓÐÕßȨÏÞ¡£

image.png

 

SolarWinds Serv-U FTP £¨Windows£©½Ó¼û½ÚÔì²»µ±·ì϶£¨CVE-2021-25276£©

¸Ã·ì϶´æÔÚÓÚWindowsµÄSolarWinds Serv-U FTP·þÎñÆ÷ÖУ¬ÈκÎÄܹ»±¾µØµÇ¼»òͨ¹ýÔ¶³Ì×ÀÃæµÇ¼ϵͳµÄ¹¥»÷Õ߶¼Äܹ»Í¨¹ýÀûÓô˷ì϶À´µÇ¼FTP£¬×îÖÕ¶ÁÈ¡»ò´úÌæCÅÌÉϵÄÈκÎÎļþ¡£

 

Ó°ÏìÁìÓò

SolarWinds Orion < 2020.2.4

SolarWinds ServU-FTP < 15.2.2 Hotfix 1

 

 

0x02 ´ëÖý¨Òé

Ä¿Ç°Óйطì϶Òѱ»½¨¸´£¬½¨ÒéÉý¼¶ÖÁ×îа汾¡£

SolarWinds Orion Platform 2020.2.4

SolarWinds ServU-FTP 15.2.2 Hotfix 1

ÏÂÔØÁ´½Ó£º

https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/release_notes/orion_platform_2020-2-4_release_notes.htm

https://downloads.solarwinds.com/solarwinds/Release/HotFix/Serv-U-15.2.2-Hotfix-1.zip

 

0x03 ²Î¿¼Á´½Ó

https://www.bleepingcomputer.com/news/security/solarwinds-patches-critical-vulnerabilities-in-the-orion-platform/

https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=28389

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25274

 

0x04 ¹¦·òÏß

2021-02-03  Trustwave SpiderLabsÅû¶·ì϶

2021-02-04  VSRC°ä²¼°²È«¹«¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö³ß¶È¹ÙÍø£ºhttp://www.first.org/cvss/

image.png