The Cybersecurity and Infrastructure Security Agency (CISA) has asked US federal agencies to update the SolarWinds Orion software by the end of the year. This advice came in a supplementary guidance that broadens its initial Emergency Directive (ED) on the cyber incident impacting networks across federal, state and local governments, as well as critical infrastructure entities and other private sector organizations.
All federal agencies operating versions of the SolarWinds Orion platform, other than those identified as “affected versions,” are required to use at least SolarWinds Orion Platform version 2020.2.1HF2, CISA noted in the supplementary guidance released on Wednesday.
“We issued V2 supplemental guidance to Emergency Directive 21-01. @NSAgov verified version 2020.2.1 HF2 of SolarWinds Orion eliminates previously identified malicious code,” CISA said in a Twitter message.
The National Security Agency (NSA) examined this version and verified that it eliminates the previously identified malicious code. Given the number and nature of disclosed and undisclosed vulnerabilities in SolarWinds Orion, all instances that remain connected to federal networks had to be updated to 2020.2.1 HF2 by close of business on Dec. 31, 2020, the security agency added. It wasn’t clear at time of writing if all the agencies, coming under the order, had complied.
An advanced persistent threat (APT) actor is responsible for compromising the SolarWinds Orion software supply chain, as well as for widespread abuse of commonly used authentication mechanisms, CISA said. The threat actor has the resources, patience and expertise to gain access to and gain privileges over highly sensitive information if left unchecked.
CISA had previously issued Emergency Directive 21-01, following a known security breach affecting SolarWinds Orion products. The agency advised all federal civilian agencies to review their networks for indications of compromise, and immediately disconnect or power down SolarWinds Orion products using versions 2019.4 through 2020.2.1 HF1 immediately.
It subsequently updated its earlier advisory after finding evidence of initial access vectors other than the SolarWinds Orion software. Specifically, “we are investigating incidents in which activity indicating abuse of SAML tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified,” CISA reported. It also identified changes to the tactics, techniques and procedures (TTPs), and will update as new information on the security breach becomes available.
The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands, Carnegie Mellon University said this week in a vulnerability note. The SolarWinds Orion API is embedded into the Orion Core and is used to interface with all SolarWinds Orion Platform products. API authentication can be bypassed by including specific parameters, which could allow an attacker to execute unauthenticated API commands.
This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance, the University warned. Especially in cases when updates cannot be installed, we recommend that users implement mitigations to harden the IIS server, it added.
CISA will follow up with additional supplemental guidance, to include further clarifications and hardening requirements, the agency added.