SolarWinds Orion Platform 2019.4 HF5 / 2020.2.x < 2020.2.1 SUNBURST Malware Backdoor

high Nessus Plugin ID 144198
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

An application running on the remote host is affected by a malware backdoor.

Description

The version of SolarWinds Orion Platform running on the remote host is 2019.4 HF5 or 2020.2.1 prior to 2020.2.1 HF2. It is, therefore, affected by a malware backdoor known as SUNBURST. The file SolarWinds.Orion.Core.BusinessLayer.dll that is included in these versions is known to contain a backdoor that communicates to third party servers and could allow a remote attacker complete control over the host via obfuscated, benign looking network traffic.

The United States Department of Homeland Security has issued Emergency Directive 21-01 that specifies SolarWinds Orion products up to and including 2020.2.1 HF 1 are currently being exploited by malicious actors.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to SolarWinds Orion Platform 2019.4 HF6, 2020.2.1 HF2, or later.

See Also

http://www.nessus.org/u?85b4fa56

https://www.solarwinds.com/securityadvisory

https://cyber.dhs.gov/ed/21-01/

http://www.nessus.org/u?0ff24ea2

http://www.nessus.org/u?901aa5a2

http://www.nessus.org/u?704c04b1

http://www.nessus.org/u?bbd97140

Plugin Details

Severity: High

ID: 144198

File Name: solarwinds_orion_sunburst.nasl

Version: 1.4

Type: combined

Agent: windows

Family: CGI abuses

Published: 12/14/2020

Updated: 1/13/2021

Dependencies: solarwinds_orion_npm_detect.nasl, solarwinds_orion_installed.nbin

Risk Information

CVSS Score Source: manual

CVSS Score Rationale: Score based on analysis of the vendor advisory.

VPR

Risk Factor: Medium

Score: 6

CVSS v2

Risk Factor: High

Base Score: 7.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:2.3:a:solarwinds:orion_platform:*:*:*:*:*:*:*:*

Required KB Items: installed_sw/SolarWinds Orion Core

Patch Publication Date: 10/29/2020

Vulnerability Publication Date: 12/13/2020