Advisory Overview
SolarWinds RMM has identified a vulnerability in versions 10.8.8 and earlier that could allow an attacker to target all devices running the Advanced Monitoring Agent. The attack could allow an attacker to download malware, modify data, and delete user accounts. SKOUT recommends updating to version 10.8.9 or newer.
Technical detail and additional information
What is the threat?
A vulnerability exists in the SolarWinds Remote Monitoring and Management (RMM) Windows agent prior to version 10.8.9, specifically the Advanced Monitoring Agent. The agent is run by every local and remote user that logs in and the executable code within is writable by all users. This can allow a malicious actor to edit the file and cause arbitrary code to execute with the privilege of any and all users that log in. An attacker can modify this executable to download malware, modify data, create/modify/delete user accounts, and more.
Why is this noteworthy?
SolarWinds is a popular RMM tool that many MSP organizations utilize to monitor and maintain IT systems. MSPs are a popular and lucrative target for attackers attempting to exploit vulnerabilities as a successful exploit, which can lead to a much larger compromise if the MSP themselves are compromised. The nature of the vulnerability allows any user with remote or local access to a device running the SolarWinds RMM agent to craft an executable that will be automatically run by any user that logs in to that device. This could allow an attacker to quickly spread throughout a network of devices that are running the SolarWinds agent.
What is the exposure or risk?
If exploited, this vulnerability can allow the attacker to edit the executable file that each user runs when they log in any way they wish. This can lead to the execution of arbitrary code with the potentially elevated privileges of any user that logs in. With the ability to execute code with potentially elevated privileges, an attacker could download malware, modify data, create/modify/delete user accounts, and more.
What are the recommendations?
This issue only affects version 10.8.8 and below of the RMM agent, so it is recommended that any outdated agents are updated to version 10.8.9 or newer. The steps for checking the current version of the agent and updating it have been provided by SolarWinds in their article about this vulnerability and are as follows:
“To upgrade your agents, log into RMM and go to ‘Agent Auto-update Settings’ on the Agent dropdown menu. You can also right-click individual servers and workstations to update the agent on the ‘Edit Device’ dialog. Use the Device Inventory Report to see which agent versions are on your devices.”
References:
For more in-depth information about the recommendations, please visit the following links:
- https://status.solarwindsmsp.com/2020/06/15/solarwinds-rmm-security-notice-regarding-an-agent-vulnerability-pre-v10-8-9/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10149
- https://hansesecure.de/2020/06/vulnerability-in-monitoring-software/?lang=en
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13912
If you have any questions, please contact our Security Operations Center.
