SolarWinds has patched three recently discovered vulnerabilities -- two associated with Orion, one involving Serv-U FTP for Windows. The vulnerabilities were unrelated to the widely reported SUNBURST and SUPERNOVA events. In this case, the issues were discovered and documented by SpiderLabs, a research arm owned by MSSP Trustwave.
Left unpatched, the three vulnerabilities "could allow an attacker full remote code execution, access to credentials for recovery, and the ability to read, write to or delete any file on the system," Trustwave asserts.
SolarWinds MSP Partners: No Impact
Five key takeaways for MSPs and MSSPs to keep in mind:
1. Timeline: Trustwave reported all three findings to SolarWinds, and patches were released in a very timely manner, the Top 250 MSSP says. Trustwave disclosed the vulnerabilities to SolarWinds on December 30, 2020, and SolarWinds developed and then released patches on January 22 and 25, respectively.
2. No SolarWinds MSP Partner Impact: The three vulnerabilities did not involve software from SolarWinds MSP, a business division that is marching toward a potential spin-off and rebrand as N-able.
3. No Known Attacks: To the best of Trustwave’s knowledge, none of the vulnerabilities were exploited during the recent SolarWinds attacks or in any “in the wild” attacks. However, given the criticality of these issues, Trustwave recommends that affected users patch as soon as possible, the company says.
4. Unrelated: The three vulnerabilities were not related to the highly publicized SolarWinds SUNBURST and SUPERNOVA security advisory, which SolarWinds continues to document here.
5. More Info: Trustwave has purposely withheld specific Proof of Concept (PoC) code in order to give SolarWinds users more time to patch, but the MSSP will post an update to the disclosure blog that includes the PoC code on February 9.
