CSW Analysis of SolarWinds: Top Scanners miss most of the vulnerabilities
Posted on 16th Dec, 2020 | By Sumeetha
The massive breach of SolarWinds Network Management product has compromised as many as 18,000 organizations outside of U.S Government entities, security agencies, defense entities. We took a closer look at the weaknesses that exist in other SolarWinds products and found that top scanners miss most of the vulnerabilities.
Our Key Findings
- 102 vulnerabilities exist in SolarWinds Products, wherein 34 CVEs are weaponized.
- 30 CVEs are rated critical, 21 are high
- 85 old vulnerabilities that exist in SolarWinds, ranging from the year 2001 to 2019.
- CWE-79 (Improper Neutralization of Input During Web Page Generation) seems to be the most exploited weakness, with 18 falling in this category
- The 15 CVEs present in the Orion Network Management tool, and CVE-2019-9546 is the suspected culprit for this breach.
- SolarWinds Orion Network Management tool is also responsible for the FireEye breach when pentesters' tools were stolen.
The Attack Surface
When we analyzed the vulnerabilities and weaponization stats, we observed that -
- 35% of SolarWinds CVEs are weaponized
- 22 CVEs have RCE/PE capabilities making their fixes extremely critical
- SolarWinds has Vulnerabilities ranging from 2001 to 2019. Maximum number of vulnerabilities are from the years 2019 followed by 2020 and 2010.
- CWE-79 and CWE-20 are the most exploited weakness for SolarWinds product.
83% of vulnerabilities in SolarWinds are old weaknesses. These vulnerabilities range from 2001 to 2020, presenting two decades of bugs.
- Of these 85 vulnerabilities, 32 are weaponized with known exploits.
- 13 CVEs have RCE and PE capabilities.
- 23 CVEs are rated critical, 21 high, and 41 are medium.
SolarWinds Product Analysis
Next, we analyzed the different types of products that have these vulnerabilities and their broad categories -
- 45 Vulnerabilities are associated with file transfer servers specifically used to transfer colossal data - a favorite target of threat actors’ who can steal/expose sensitive files.
- 24 CVEs were linked to the IT monitoring tool. This type of tools should not be exposed to the Internet as they serve as standalone tools for pointing critical issues.
SolarWinds Global Exposure Analysis
More than 300,000 customers worldwide, including defense, Fortune 500 companies, government agencies, telecommunication companies, and educational institutions, have been using the SolarWinds Network Monitoring tool.
Country-wise exposure analysis reveals the following details -
- 117 Countries make use of SolarWinds Products, which makes this breach extremely critical.
- The US tops the list with a count of 698 Internet-facing products, and the UK ranks next with 98 products, and India has 56.
Table: Analysis based on Countries
SolarWinds Scanner Coverage Analysis
We analyzed the data further by comparing the CVEs with some of the scanners that were able to detect the SolarWinds vulnerabilities.
- Out of 102 CVEs, Tenable scanner was able to detect 37 vulnerabilities.
- Qualys was able to find 15 vulnerabilities
- Nexpose detected 1 vulnerability.
Internet chatter is abuzz with the fact that this might be a nation-state attack; a fact that we concur with. For one thing, there have been no demands for ransom, and the threat actors have been patiently biding their time since Spring 2020 to mount their attack. While there is a lot of conversation floating around about the possible APT group(s) that could have been involved in this attack, our investigation so far has not revealed any association with ransomware or APT groups.
What we see today is probably the most serious cyber-attack of all times perpetrated by threat actors not motivated by greed. With state secrets compromised, attacks such as these force us to take a step back and see what we can learn from it.
One of the many lessons from this incident would be that organizations should and must seriously invest in vulnerability management and penetration testing and continuously check their attack surface from infrastructure to code.