IT infrastructure administration supplier SolarWinds on Thursday launched a brand new replace to its Orion networking monitoring device with fixes for 4 safety vulnerabilities, counting two weaknesses that might be exploited by an authenticated attacker to realize distant code execution (RCE).
Chief amongst them is a JSON deserialization flaw that permits an authenticated consumer to execute arbitrary code by way of the test alert actions characteristic obtainable within the Orion Internet Console, which lets customers simulate community occasions (e.g., an unresponsive server) that may be configured to set off an alert throughout setup. It has been rated important in severity.
A second challenge issues a high-risk vulnerability that might be leveraged by an adversary to realize RCE within the Orion Job Scheduler. “With a view to exploit this, an attacker first must know the credentials of an unprivileged native account on the Orion Server,” SolarWinds said in its launch notes.
The advisory is gentle on technical specifics, however the two shortcomings are stated to have been reported by way of Pattern Micro’s Zero Day Initiative.
Moreover the aforementioned two flaws, the replace squashes two different bugs, together with a high-severity saved cross-site scripting (XSS) vulnerability within the “add customized tab” inside customise view web page (CVE-2020-35856) and a reverse tabnabbing and open redirect vulnerability within the customized menu merchandise choices web page (CVE-2021-3109), each of which require an Orion administrator account for profitable exploitation.
The brand new replace additionally brings plenty of safety enhancements, with fixes for stopping XSS assaults and enabling UAC safety for Orion database supervisor, amongst others.
The most recent spherical of fixes arrives nearly two months after the Texas-based firm addressed two severe security vulnerabilities impacting Orion Platform (CVE-2021-25274 and CVE-2021-25275), which may have been exploited to realize distant code execution with elevated privileges.
Orion customers are really useful to replace to the most recent launch, “Orion Platform 2020.2.5,” to mitigate the danger related to the safety points.