"New, Critical Vulnerability Discovered That Could Let Attackers Gain Entry to SolarWinds Systems"
Researchers in Trend Micro's Zero Day Initiative (ZDI) team discovered two remote code execution (RCE) vulnerabilities that could lead to the takeover of SolarWinds Orion systems. The team has worked closely with SolarWinds to assist in responding to the massive hack. According to the researchers, one of the RCE vulnerabilities has a critical severity rating, while the other received a high severity rating. The exploitation of these vulnerabilities could allow remote attackers to take over an affected SolarWinds system. The critical RCE vulnerability exists in the OneTimeJobSchedulerEventsService Windows Communication Foundation (WCF) service. It stems from the inadequate validation of user-supplied data, possibly resulting in the deserialization of untrusted data. An attacker can abuse this vulnerability to escalate privileges and execute arbitrary code, thus allowing them to carry out any action that the System Account can perform. The second RCE vulnerability exists in the JobRouterService WCF service and is caused by the service's configuration, which allows unprivileged users to access a critical resource. This vulnerability lets attackers execute code as an administrator. However, an attacker would need to be authenticated to abuse this vulnerability. These vulnerabilities provide attackers with many opportunities for lateral movement, data exfiltration, and the performance of destructive actions. This article continues to discuss the new vulnerabilities impacting SolarWinds' Orion IT monitoring platform.