Security, IT, and risk managers are asking two questions in the wake of large scale breaches resulting from the SolarWinds compromise:
- Are we running affected versions and do we need immediate patches?
- Where else are we running SolarWinds on our network?
While these questions sound elementary, they can be difficult to answer because asset and software inventory lists are often curated manually, updated infrequently, or incomplete.
In this blog, we’ll show how organizations are using Axonius to identify all instances of SolarWinds software, find affected versions, and confirm whether the SolarWinds vulnerabilities are present at their organization.
A Brief Primer: How to Track Installed Software With Axonius
Sometimes, the knowledge of installed applications is spread out across multiple tools, such as vulnerability assessment tools or systems management agents. In situations where these disparate tools do not overlap in coverage, aggregating their data provides significant value.
Axonius aggregates, correlates, and normalizes installed software data across all devices known in your network. As customers connect adapters, they obtain a comprehensive and credible list of installed software running on devices — whether they are workstations, laptops, virtual machines, servers, or cloud workloads.
Many Axonius adapters provide installed software information, including version type. The best data sources that provide this information include:
- Endpoint Management: For example, SCCM, Tanium, BigFix, Chef, Puppet
- Software Management: For example, ManageEngine, Snow Asset Management
- Endpoint Protection and Antivirus: For example, i.e. Symantec, SentinelOne
- Vulnerability Assessment Tools: For example, Qualys, Rapid7, Tenable.io, Tenable.sc
It is also helpful to connect adapters that provide a large device inventory to understand which software applications exist across certain device types. These adapters include:
- Directory Services: For example, Active Directory, Azure AD
- Virtualization: For example, VMware, HyperV, Open Stack
- Cloud Infrastructure: For example, AWS, Google Compute, Azure, Oracle, IBM
Finally, Axonius can be used to also run ad-hoc or programmatic WMI scans to retrieve a list of installed software on Windows devices.
How to Find All SolarWinds Software
Even if teams have already taken mitigating actions (either by applying patches or turning off SolarWinds infrastructure), they may want to identify all instances of SolarWinds software should any further findings emerge.
The following query will show results for any SolarWinds applications seen through any adapter connected on the Axonius platform.
How to Find Impacted Versions of SolarWinds Software
There are three SolarWinds Versions impacted by the recent major revelations of threat actor activity across both U.S. Federal Government Agencies and Fortune 500 companies.
It is now believed that at least 18,000 companies have downloaded the SolarWinds software from the SolarWinds update servers since March 2020, introducing hidden malware binaries into these environments.
The impacted versions of the Orion platform are:
- 2019.4 HotFix 5
- 2020.2 with no hotfix
- 2020.2 HotFix 1
Axonius can be used to query for specific software versions, as well as software vendors (i.e. SolarWinds) across any adapter you have connected in the platform. The two query examples below show how to identify the known impacted versions:
These queries search across all connected adapters, look for any known instance of SolarWinds Orion Software, and then display versions which may be susceptible.
Find version 2019.4 HotFix 5
Find version 2020.2, with or without hotfix
These queries are run continuously and can be tracked as a comparison chart, as shown below.
Find CVEs Associated With SolarWinds Orion
Axonius can also be used to confirm the presence of vulnerabilities. With vulnerability assessment, endpoint protection, and configuration and patch management adapters connected, Axonius can identify all known devices susceptible to a particular vulnerability.
Using the Vulnerable Software: CVE ID field, you can search for any specific CVE observed from any adapter source.
Query: Find CVE-2020-14005
This vulnerability first disclosed in June applies to SolarWinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4), and allows remote attackers to execute arbitrary code.
Query: Find CVE-2020-13169
This vulnerability first disclosed in September applies to SolarWinds Orion Platform versions before 2020.2.1, and may lead to the takeover of administrative accounts.
Query: Find CVE-2020-4006
The same attackers also used weaknesses in other, non-SolarWinds products to attack companies. One, in particular, applies to VMware endpoint and identity management products. This vulnerability allows an attacker to take full control of any unpatched VMWare Workspace ONE system if they have valid credentials.
Monitoring Assets With RDP Enabled
As a general best practice, it is recommended to monitor corporate assets that can be accessed remotely.
One example is to search for any devices that communicate over port 3389, which is used for remote desktop protocol. Security, IT, and risk teams should ensure that remote desktop protocol is absolutely necessary if found on any devices in order to minimize their attack surface.
Automate Response Actions When Vulnerable Software is Found
Any of the queries shown above are run continuously. Using the Axonius Security Policy Enforcement Center, customers can use these queries as a trigger to take a variety of responses anytime new results are seen.
- Deploying specific files or run commands to Windows or Linux devices that may be impacted
- Creating an incident in ticketing platforms such as ServiceNow, ZenDesk, Cherwell, and others when known versions or CVEs are observed
- Sending an email to select team members with a description to investigate assets running SolarWinds software