SolarWinds RMM Tool Has Open Zero-Day Exploit: Huntress Labs

“We’ve been working rapidly on a hot fix that will be made available imminently to help mitigate potential risk for our partners. As of Jan. 24, we know of no exploits related to this vulnerability,” SolarWinds Vice President of Security Tim Brown said.

A zero-day vulnerability in SolarWinds MSP’s remote monitoring and management tool n-Central allowed security researchers to steal the administrative credentials of an account holder, according to Huntress Labs.

“With the help of the Huntress community, we’ve now validated that this exploit works as described and were able to retrieve the domain admin password our partner stored within the product’s Agent and Probe settings,” Huntress Labs wrote in a blog post. “We are not aware of a patch for this issue yet, but will update this as soon as we learn otherwise.”

The flaw, known as “Dumpster Diver,” was reported Oct. 10 and remained open into early Friday morning, according to the security firm. SolarWinds said the exploit was never used by malicious actors to compromise any partner accounts. [Editor’s Note: SolarWinds Friday deployed hotfixes for this flaw. It also released a mitigation tool that can be used in the event the hotfix can’t be applied.]

SolarWinds told CRN at the time that the researcher reported the flaw to the company in October but there was no proof of concept. Following its internal protocol, the company monitored the findings and began working on a patch earlier this week when a proof of concept was disclosed. The patch is being deployed “imminently” to close the hole.

“We were made aware of the criticality when the researcher developed a proof of concept a few days ago,” said Tim Brown, SolarWinds vice president of security. “We’ve been working rapidly on a hot fix that will be made available imminently to help mitigate potential risk for our partners. As of Jan. 24, we know of no exploits related to this vulnerability. We are continuing to monitor the situation and provide assistance to our partners as needed.”

[Related: ConnectWise Control 'Attack Chain' Exploit: 20 Questions For Security Researcher Bishop Fox]

One SolarWinds partner who asked not to be identified said with this exploit an attacker potentially could lock an MSP out of its system and give the attacker the ability “to walk around and steal whatever they want.”

“If someone got a domain admin account into my system, that would be a complete disaster,” he said. “I could lock all my people out of the workstation and anything that’s connected. You have access to all the systems that contain their clients' information. You’re giving them the keys to my castle.”

Huntress said the flaw was disclosed Jan. 21 in a Packet Storm article that gave IT workers—as well as malicious actors—that proof of concept showing how to use the exploit to seize account credentials. That Packet Storm post and accompanying content on Twitter were taken down, but some in the security community managed to find screen shots of the information.

“Despite these resources being taken offline, we discovered at least a half-dozen individuals had access to the original files,” Huntress wrote. “It was also a bit of a humbling reminder that the internet doesn’t easily forget things.”

Huntress said within a few hours after receiving the proof-of-concept source code from two MSP partners the Huntress ThreatOps team understood how to trigger it. In an email to CRN, Huntress CEO Kyle Hanslovan said the team validated the findings Thursday and into the early morning hours of Friday.

“We just tested the code and confirmed that this is a [zero]-day right now,” he said. “We were able to recover domain administrator passwords with this vulnerability.”

Word of this comes just two days after nationally recognized offensive security consultant Bishop Fox disclosed eight zero-day vulnerabilities inside ConnectWise’s RMM tool, ConnectWise Control, which could be used to form an attack chain that would allow hackers to seize computers across an MSP's system. Of the eight—which were disclosed in September—the company told CRN that 75 percent of them were patched.

After Bishop Fox consulted with the FBI, it said those exploits could have been behind the ransomware attack last summer that crippled sites in 22 cities and towns across Texas. At the time, ConnectWise told CRN an on-premises version of its tool ConnectWise Control was used to carry out the attack.

With more than 20 years of cybersecurity experience, including work with Congress and within the halls of the White House, SolarWinds' Brown has been on the board of the Open Identity Exchange and a member of the Trans Global Secure Collaboration Program. Before joining SolarWinds two years ago, Brown was named a Dell Fellow while he was CTO for Dell Security.

“We thank the researcher for acting in a responsible manner to help protect the community,” Brown said. “At SolarWinds, we are committed to staying on top of threats, and working with researchers and our community to provide the help our partners need to stay safe,” Brown said. “Vulnerabilities are real and happen every day. It is crucial that those vulnerabilities are handled in a responsible manner by the researchers and the vendors. We are taking this extremely seriously.”