Attacks and Vulnerabilities
CISA
News

US federal agencies directed to update SolarWinds Orion software by CISA

January 01, 2021
Orion software

The Cybersecurity and Infrastructure Security Agency (CISA) has asked US federal agencies to update the SolarWinds Orion software by the end of the year. This advice came in a supplementary guidance that broadens its initial Emergency Directive (ED) on the cyber incident impacting networks across federal, state and local governments, as well as critical infrastructure entities and other private sector organizations.

All federal agencies operating versions of the SolarWinds Orion platform, other than those identified as “affected versions,” are required to use at least SolarWinds Orion Platform version 2020.2.1HF2, CISA noted in the supplementary guidance released on Wednesday.

“We issued V2 supplemental guidance to Emergency Directive 21-01. @NSAgov verified version 2020.2.1 HF2 of SolarWinds Orion eliminates previously identified malicious code,” CISA said in a Twitter message.

The National Security Agency (NSA) examined this version and verified that it eliminates the previously identified malicious code. Given the number and nature of disclosed and undisclosed vulnerabilities in SolarWinds Orion, all instances that remain connected to federal networks had to be updated to 2020.2.1 HF2 by close of business on Dec. 31, 2020, the security agency added. It wasn’t clear at time of writing if all the agencies, coming under the order, had complied.

An advanced persistent threat (APT) actor is responsible for compromising the SolarWinds Orion software supply chain, as well as for widespread abuse of commonly used authentication mechanisms, CISA said. The threat actor has the resources, patience and expertise to gain access to and gain privileges over highly sensitive information if left unchecked.

CISA had previously issued Emergency Directive 21-01, following a known security breach affecting SolarWinds Orion products. The agency advised all federal civilian agencies to review their networks for indications of compromise, and immediately disconnect or power down SolarWinds Orion products using versions 2019.4 through 2020.2.1 HF1 immediately.

It subsequently updated its earlier advisory after finding evidence of initial access vectors other than the SolarWinds Orion software. Specifically, “we are investigating incidents in which activity indicating abuse of SAML tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified,” CISA reported. It also identified changes to the tactics, techniques and procedures (TTPs), and will update as new information on the security breach becomes available.

The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands, Carnegie Mellon University said this week in a vulnerability note. The SolarWinds Orion API is embedded into the Orion Core and is used to interface with all SolarWinds Orion Platform products. API authentication can be bypassed by including specific parameters, which could allow an attacker to execute unauthenticated API commands.

This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance, the University warned. Especially in cases when updates cannot be installed, we recommend that users implement mitigations to harden the IIS server, it added.

CISA will follow up with additional supplemental guidance, to include further clarifications and hardening requirements, the agency added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings