Overview of the SolarWinds MSP Vulnerability
This threat report is about a recently discovered vulnerability found in the SolarWinds MSP patch management engine (PME). This vulnerability is noteworthy but has only been tested in a theoretical setting.
The security community has assigned the identifier CVE-2020-12608. There is a patch available that can be pulled down automatically via auto-update.
Tactics, Techniques, and Procedures to Exploit CVE-2020-12608
To exploit this SolarWinds MSP PME vulnerability, a bad actor would have to do the following:
- The bad actor would have to prepare a web server locally or externally. Python and SimpleHTTPServer can theoretically be utilized to pull files from “Flash Media Sources” to accomplish this goal locally.
- Modify a core software configuration file (CacheService.xml). The bad actor, in this case, is operating within the system software cache on the affected device. This can be achieved via command-line tools such as CMD or PowerShell.
- Utilize a third-party patch via a means such as an executable file to act as an installer on the local machine.
While a vulnerability like this one may not be a concern for some organizational units, it’s highly encouraged to use tested update cycles to patch software flaws like this one.
Realistically speaking a highly motivated bad actor with a specific target in mind would have the motivation to take the time and effort to exploit CVE-2020-12608. Potential attackers such as nation-state-level actors, commonly referred to as advanced persistent threats (APT’s), would be capable of the level of sophistication to perform this attack type.
What Exploitation of CVE-2020-12608 Means to You
A bad actor taking advantage of this SolarWinds vulnerability could mean the following for you:
- Exploit customized payloads on affected hosts.
- Design infrastructure to widely deploy malware through a software-based patch management solution.
- Exploit common weaknesses from an infrastructure standpoint to either exfiltrate sensitive financial data, create botnets, or maintain long-term companywide persistence.
What You Should Do to Protect Against CVE-2020-12608
Avertium strongly encourages you to implement the software patch PME version 1.1.15 to preemptively mitigate this software flaw and utilize the most up-to-date cybersecurity measures to protect your patch management infrastructure.
Depending on the needs of the business, consider any serious long-term probing attempts on your assets to reveal a potential threat.
Additional Resources to Protect Against the SolarWinds MSP Vulnerability
IBM X-Force Exchange: https://exchange.xforce.ibmcloud.com/vulnerabilities/181651
About CVE-2020-12608:
- https://github.com/jensregel/Advisories/tree/master/CVE-2020-12608
- Software Patch Per Vendor (apply PME version 1.1.15): https://success.solarwindsmsp.com/forum-post/X0D51T00007TMk6jSAD/ -- if auto-update is enabled it should come automatically.
Supporting Documentation:
- MITRE Mappings:
- Enumeration: https://capec.mitre.org/data/definitions/1000.html
- Physical Media: https://attack.mitre.org/techniques/T1052/
- Execution of Files: https://attack.mitre.org/tactics/TA0002/
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed security service capabilities.
Deciding between running an in-house SOC vs. using managed security services to add more rigor, more relevance, and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!