More exploitable flaws found in SolarWinds software, says cybersecurity firm

WASHINGTON — A cybersecurity company has identified three new “critical” flaws in software produced by SolarWinds, the company that was exploited in what U.S. officials said last year was a massive hack of U.S. government and corporate sites by Russian intelligence.

The security company, Trustwave, said it informed SolarWinds about the vulnerabilities, which Trustwave said could have enabled an attacker to compromise the networks of SolarWinds customers.

SolarWinds has released a patch to fix the security flaws, and neither company found evidence that hackers had exploited the vulnerabilities. Nonetheless, the findings raise new questions about security at SolarWinds, which provides information technology software to government agencies and most Fortune 500 corporations.

The potential damage, had the flaws been exploited, is hard to quantify. Theoretically, however, it could have resulted in the exposure of consumer data to corporate and government secrets.

After the SolarWinds hack became public in December, “we decided that we wanted to try ourselves to see how secure SolarWinds products are,” said Ziv Mador, Trustwave’s vice president of security research. “In two weeks, [we] found three severe vulnerabilities.”

In a statement to NBC News, SolarWinds said, “Vulnerabilities of varying degrees are common in all software products, but we understand that there is heightened scrutiny on SolarWinds right now.”

The company said the flaws have been addressed through software patches.

Dec. 20, 202001:26

“Following the recent nation-state attack against an array of American software providers, including SolarWinds, we have been collaborating with our industry partners and government agencies to advance our goal of making SolarWinds the most secure and trusted software company,” the statement said. “We have always been committed to working with our customers and other organizations to identify and remediate any vulnerabilities across our product portfolio in a responsible way. Today’s announcement aligns with this process.”

The lesson, Mador said, is that software vendors should continually subject their products to what is known as “penetration testing,” in which hackers probe for weaknesses that can be fixed before they are exploited.

“In nearly 100 percent of the applications we test, we find vulnerabilities,” he said. “Some severe, some mild.”

Trustwave first approached SolarWinds about the flaws in late December, Mador said, and gave it time to release the patch. Trustwave will wait one more week to release the “proof of concept,” showing exactly how the flaws were exploited, he said.

Reuters reported Tuesday that Chinese hackers exploited a SolarWinds flaw to gain access to the Agriculture Department. SolarWinds said in a statement that the hackers first broke into the Agriculture Department network and then added malicious code to SolarWinds Orion software on the customer’s network.

“We are aware of one instance of this happening and this is separate from the broad and sophisticated attack that targeted multiple software companies as vectors,” the statement added.

WASHINGTON — A cybersecurity company has identified three new “critical” flaws in software produced by SolarWinds, the company that was exploited in what U.S. officials said last year was a massive hack of U.S. government and corporate sites by Russian intelligence.

The security company, Trustwave, said it informed SolarWinds about the vulnerabilities, which Trustwave said could have enabled an attacker to compromise the networks of SolarWinds customers.

SolarWinds has released a patch to fix the security flaws, and neither company found evidence that hackers had exploited the vulnerabilities. Nonetheless, the findings raise new questions about security at SolarWinds, which provides information technology software to government agencies and most Fortune 500 corporations.

The potential damage, had the flaws been exploited, is hard to quantify. Theoretically, however, it could have resulted in the exposure of consumer data to corporate and government secrets.

After the SolarWinds hack became public in December, “we decided that we wanted to try ourselves to see how secure SolarWinds products are,” said Ziv Mador, Trustwave’s vice president of security research. “In two weeks, [we] found three severe vulnerabilities.”

In a statement to NBC News, SolarWinds said, “Vulnerabilities of varying degrees are common in all software products, but we understand that there is heightened scrutiny on SolarWinds right now.”

The company said the flaws have been addressed through software patches.

Dec. 20, 202001:26

“Following the recent nation-state attack against an array of American software providers, including SolarWinds, we have been collaborating with our industry partners and government agencies to advance our goal of making SolarWinds the most secure and trusted software company,” the statement said. “We have always been committed to working with our customers and other organizations to identify and remediate any vulnerabilities across our product portfolio in a responsible way. Today’s announcement aligns with this process.”

The lesson, Mador said, is that software vendors should continually subject their products to what is known as “penetration testing,” in which hackers probe for weaknesses that can be fixed before they are exploited.

“In nearly 100 percent of the applications we test, we find vulnerabilities,” he said. “Some severe, some mild.”

Trustwave first approached SolarWinds about the flaws in late December, Mador said, and gave it time to release the patch. Trustwave will wait one more week to release the “proof of concept,” showing exactly how the flaws were exploited, he said.

Reuters reported Tuesday that Chinese hackers exploited a SolarWinds flaw to gain access to the Agriculture Department. SolarWinds said in a statement that the hackers first broke into the Agriculture Department network and then added malicious code to SolarWinds Orion software on the customer’s network.

“We are aware of one instance of this happening and this is separate from the broad and sophisticated attack that targeted multiple software companies as vectors,” the statement added.