The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its official guidance to order US federal agencies to update the SolarWinds Orion platforms by the end of the year.
According to the CISA’s Supplemental Guidance to Emergency Directive 21-01, all US government agencies running the SolarWinds Orion app must update to the latest 2020.2.1HF2 version by the end of the year or take them offline.
SolarWinds released the 2020.2.1HF2 version on December 15 to secure its installs and remove the Sunburst-related code from their systems.
“Specifically, all federal agencies operating versions of the SolarWinds Orion platform other than those identified as “affected versions” below are required to use at least SolarWinds Orion Platform version 2020.2.1HF2.” reads CISA’s Supplemental Guidance to Emergency Directive 21-01. “The National Security Agency (NSA) has examined this version and verified that it eliminates the previously identified malicious code.”
The order is part of the update for the CISA’s guidance that was issued on December 18 following the discovery of the SolarWinds supply chain attack.
The US CERT Coordination Center issued the security note VU#843464 to detail the authentication bypass flaw in the Orion API, tracked as CVE-2020-10148, that allows attackers to execute remote code on Orion installations.
“This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.” reads the advisory.
The vulnerability was exploited by threat actors to install the Supernova backdoor in attacks not linked to the SolarWinds supply chain hack.
CISA urge to update to version 2020.2.1HF2 to fix any other SolarWinds Orion-related bug, including the CVE-2020-10148 vulnerability.
“Given the number and nature of disclosed and undisclosed vulnerabilities in SolarWinds Orion, all instances that remain connected to federal networks must be updated to 2020.2.1 HF2 by COB December 31, 2020.” continues CISA.
|Orion Platform Version||Continued use of SolarWinds Orion permitted at this time||Update required?|
|Affected versions: 2019.4 HF5, 2020.2 RC1, 2020.2 RC2, 2020.2, 2020.2 HF1 (should be powered down or removed from networks based on ED 21-01)||No||N/A|
|All other versions that are currently online (if the instance did not previously use an affected version)||Yes||Yes (2020.2.1HF2)|
Below the list of affected versions:
Yesterday, the Microsoft 365 Defender Team revealed that the goal of the threat actors behind the SolarWinds supply chain attack was to move to the victims’ cloud infrastructure once infected their network with the Sunburst/Solorigate backdoor.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, CISA)