Experts Note Patching Alone Will Not Mitigate Threats
Although SolarWinds has released a second round of patches for flaws in its Orion network monitoring platform that was targeted in a supply chain attack, some security experts say organizations need to go far beyond patching to manage the risks involved.
Although applying the patches is critical, patches “aren’t going to be the silver bullet we wish they could be,” says Yaniv Bar-Dayan, CEO and co-founder of the security firm Vulcan Cyber.
“Advanced persistent threat actors take advantage of layers of attack vectors and vulnerabilities, with most of them previously known to cybersecurity organizations. Therefore, IT security teams should immediately identify the risk to their business and prioritize the work of remediation, then take the necessary steps to implement all needed compensating controls to reconfigure systems as necessary and then upgrade to the patch as soon as possible.”
Roger Grimes, data-driven defense evangelist at security firm KnowBe4, adds: “The malware outlives the life of the software. That is why it is always important for the vendor to use security development life cycle techniques to minimize the amount of bugs, because for every bug, there is some percentage of the vulnerable population that will never get patched and always remain exploitable. There is no herd immunity in the digital world.”
This Week’s Patches
The four Orion vulnerabilities for which SolarWinds issued patches this week are:
- CVE-2020-35856, a high-risk flaw that, if exploited, permits XSS attacks by an administrator on the
“customize view” page.
- CVE-2021-3109, a medium-risk flaw found in the custom menu, which requires an Orion administrative account to exploit;
- Two other remote code flaws that have not been assigned CVE IDs.
In January, following the supply chain attack, the company patched three serious flaws, one of which allowed for full remote-code execution capabilities, meaning hackers could exploit it to take full control of a system.
Martin Rakhmanov, a Trustwave SpiderLabs security research manager who uncovered the vulnerabilities in December, noted earlier that none of those flaws apparently were exploited during the SolarWinds supply chain attack or in any in-the-wild attacks. Nevertheless, he recommended immediate patching due to the criticality of these issues.
Supply Chain Attack
The SolarWinds supply chain attack involved attackers planting a backdoor in an update of the Orion platform, which about 18,000 customers downloaded. Nine government agencies and about 100 companies were targeted for follow-on attacks, according to federal investigators.
The Associated Press reported Monday that the SolarWinds attackers gained access to at least one email account used by Chad Wolf, who was acting secretary of the Department of Homeland Security in the final months of the Trump administration, along with the accounts of other DHS and Department of Energy officials.
Federal investigators say the supply chain attack was part of a Russian cyberespionage campaign. The Biden administration is considering sanctions and other action in response. (see: GAO Pushes for Speeding Up Cybersecurity Enhancements).
Meanwhile, SolarWinds on Tuesday made an initial public filing with the Securities and Exchange Commission for the spinoff of its managed service provider business into a separately traded public company to be named N-able. The spinoff plans had been unveiled last year.
The announcement follows the appointment in February of Kevin Bury as chief customer officer for the SolarWinds MSP division.