Newly discovered SolarWinds MSP Vulnerability presents nation-state threat

Overview of the SolarWinds MSP Vulnerability

This threat report is about a recently discovered vulnerability found in the SolarWinds MSP patch management engine (PME). This vulnerability is noteworthy but has only been tested in a theoretical setting.

The security community has assigned the identifier CVE-2020-12608. There is a patch available that can be pulled down automatically via auto-update.

Tactics, Techniques, and Procedures to Exploit CVE-2020-12608

To exploit this SolarWinds MSP PME vulnerability, a bad actor would have to do the following:

• The bad actor would have to prepare a web server locally or externally. Python and SimpleHTTPServer can theoretically be utilized to pull files from “Flash Media Sources” to accomplish this goal locally.
• Modify a core software configuration file (CacheService.xml). The bad actor, in this case, is operating within the system software cache on the affected device. This can be achieved via command-line tools such as CMD or PowerShell.
• Utilize a third-party patch via a means such as an executable file to act as an installer on the local machine.

While a vulnerability like this one may not be a concern for some organizational units, it’s highly encouraged to use tested update cycles to patch software flaws like this one.

Realistically speaking a highly motivated bad actor with a specific target in mind would have the motivation to take the time and effort to exploit CVE-2020-12608. Potential attackers such as nation-state-level actors, commonly referred to as advanced persistent threats (APT’s), would be capable of the level of sophistication to perform this attack type.

What Exploitation of CVE-2020-12608 Means to You

A bad actor taking advantage of this SolarWinds vulnerability could mean the following for you:

• Exploit customized payloads on affected hosts.
• Design infrastructure to widely deploy malware through a software-based patch management solution.
• Exploit common weaknesses from an infrastructure standpoint to either exfiltrate sensitive financial data, create botnets, or maintain long-term companywide persistence.

What You Should Do to Protect Against CVE-2020-12608

Avertium strongly encourages you to implement the software patch PME version 1.1.15 to preemptively mitigate this software flaw and utilize the most up-to-date cybersecurity measures to protect your patch management infrastructure.

Depending on the needs of the business, consider any serious long-term probing attempts on your assets to reveal a potential threat.

Additional Resources to Protect Against the SolarWinds MSP Vulnerability

IBM X-Force Exchange: https://exchange.xforce.ibmcloud.com/vulnerabilities/181651

About CVE-2020-12608:

• https://github.com/jensregel/Advisories/tree/master/CVE-2020-12608
  • Software Patch Per Vendor (apply PME version 1.1.15): https://success.solarwindsmsp.com/forum-post/X0D51T00007TMk6jSAD/ -- if auto-update is enabled it should come automatically.
  • https://seclists.org/fulldisclosure/2020/May/23

Supporting Documentation:

• MITRE Mappings:
  • Enumeration: https://capec.mitre.org/data/definitions/1000.html
  • Physical Media: https://attack.mitre.org/techniques/T1052/
  • Execution of Files: https://attack.mitre.org/tactics/TA0002/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Contact us for more information about Avertium’s managed security service capabilities.