![]() ![]() On the other hand, the MSMQ is still unauthenticated and allows anyone to send messages to it. ORION SOLARWINDS DELETED ROUTES PATCHGiven that the message processing code runs as a Windows service configured to use LocalSystem account, we have complete control of the underlying operating system.Īfter the patch is applied, there is a digital signature validation step performed on arrived messages so that messages having no signature or not signed with a per-installation certificate are not further processed. 9) allows remote code execution by remote, unprivileged users through combining those two issues. A simple Proof of Concept (PoC) (which again, we will release on Feb. Unfortunately, it turned out to be an unsafe deserialization victim. My interest was piqued, and I jumped in to look at the code that handles incoming messages. In short, unauthenticated users can send messages to such queues over TCP port 1801. It’s pretty hard to miss that warning shield showing that the queue, like all the queues, is unauthenticated. See if you can pinpoint it in Figure 2 below.įigure 2: Security is not configured on the queues. Since MSMQ was installed, the first thing I tried was to open the Computer Management console to see what’s going on under the Message Queuing, as you can see in Figure 1.įigure 1: SolarWinds Orion Collector uses MSMQ heavily.Īs you can see, there is a huge list of private queues, and literally, every one of them has a specific problem. After a few more steps – voilà – we have the product up and running. Next, the installer suggested installing Microsoft SQL Server Express for the product backend database management, but I could have opted to use an existing Microsoft SQL Server instance too. This immediately grabbed my attention since, by default, this technology is not installed on modern Windows systems. As a part of the installation, there is a setup of Microsoft Message Queue (MSMQ), which has been around for more than two decades. I picked User Device Tracker and installed it on a vanilla Windows Server 2019 virtual machine. ORION SOLARWINDS DELETED ROUTES TRIALSolarWinds offers trial versions for download. In light of the recent SolarWinds supply chain attack, I decided to take a quick look at SolarWinds products based on the Orion framework. SolarWinds Orion Platform Vulnerability (CVE-2021-25274): Messages Queued, Processed, Deserialized and Exploited ![]() All three vulnerabilities are severe with the most critical one allowing remote code execution with high privileges. Fact Sheet New Vulnerabilities Discovered in SolarWinds Products by Trustwave SpiderLabsĭownload our fact sheet on the SolarWinds vulnerabilities that Trustwave SpiderLabs has discovered. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |