{"id":7573,"date":"2020-12-18T21:07:03","date_gmt":"2020-12-19T04:07:03","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7573"},"modified":"2023-04-05T12:41:31","modified_gmt":"2023-04-05T19:41:31","slug":"how-to-detect-solarwinds-vulnerability","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/how-to-detect-solarwinds-vulnerability\/","title":{"rendered":"How to Detect SolarWinds Orion Product running on your network?"},"content":{"rendered":"
\nPopular scanners such as Tenable, Qualys and Nexpose are missing 48 vulnerabilities out of 102 SolarWinds vulnerabilities. To help 18000 customers who have been affected, CSW team has come up with a script that would help detect SolarWinds Orion Product running on your network.\u00a0<\/span><\/span><\/strong><\/h2>\n<\/blockquote>\n
On Dec 13, 2020, it was announced that the SolarWinds Orion Platform got corrupted by the distribution of backdoor SUNBURST – a malware disguised as an update that compromised multiple critical government agencies and more than 18000 customers world-wide.\u00a0<\/span><\/span><\/p>\n
The attack was perpetrated by an APT group that had patiently mounted this attack since spring 2020. As we write this, the name of the APT group nor its origin country has been confirmed but organizations that have been compromised need to start their incident response process and start remediation plans immediately.<\/span><\/span><\/p>\n
Based on our analysis, we observed 15 CVEs associated with Orion Products and 7 CVE\u2019s are weaponized and 3 CVEs are capable of Remote Code Execution and Privilege Escalation. Click here for more information\u00a0<\/a><\/span><\/span><\/p>\n
We also analyzed the vulnerabilities that exist in numerous SolarWinds products and interestingly 49 vulnerabilities are not detected by all these top 3 vulnerabilities scanner. Click here for more information<\/a><\/span><\/span><\/p>\n
With the scanners not detecting 50% of the vulnerabilities, we decided to help SolarWinds customers and have written a script (GitHub<\/a>) to detect the SolarWinds Orion product running on your network.\u00a0<\/span><\/span><\/p>\n
Note<\/strong>: The script takes input as a single IP, CIDR or through text file. By default, four ports are added but it can be customized during the run.\u00a0<\/span><\/span><\/p>\n
The following script can be used to detect the vulnerability.<\/span><\/span><\/p>\n
Script<\/strong><\/span><\/span><\/h2>\n
\npython3 orionScanner.py –help<\/span><\/span><\/p>\n
usage:<\/strong> orionScanner.py [-h] [-t TARGET] [-T TARGETS] [-c CIDR] [-a ADD]<\/span><\/span><\/p>\n
optional arguments:<\/span><\/span><\/p>\n
\u00a0\u00a0-h, –help\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 show this help message and exit<\/span><\/span><\/p>\n
\u00a0\u00a0-t TARGET, –target TARGET<\/span><\/span><\/p>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Single IP<\/span><\/span><\/p>\n
\u00a0\u00a0-T TARGETS, –targets TARGETS<\/span><\/span><\/p>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0List of IP in text file<\/span><\/span><\/p>\n
\u00a0\u00a0-c CIDR, –cidr CIDR\u00a0 CIDR range<\/span><\/span><\/p>\n
\u00a0\u00a0-a ADD, –add ADD \u00a0 \u00a0 Addition ports to check for. example: -a 8889,9991<\/span><\/span><\/p>\n
Note:<\/strong>\u00a0Default web ports are 80, 8080, 443, 8443<\/span><\/span><\/p>\n
\n
- Run the script for single IP to detect SolarWinds Orion Products<\/span><\/span><\/li>\n<\/ol>\n
\u00a0 \u00a0python3 orionScanner.py -t 192.168.0.1<\/span><\/span><\/p>\n
\n
- Run the script for Multiple ips by providing a text file with ips to detect SolarWinds Orion Products.<\/span><\/span><\/li>\n<\/ol>\n
\u00a0 \u00a0python3 orionScanner.py -T ips.txt<\/span><\/span><\/p>\n
\n
- Run the script for CIDR to detect SolarWinds Orion Products.<\/span><\/span><\/li>\n<\/ol>\n
\u00a0 \u00a0python3 orionScanner.py -c 192.168.0.1\/24<\/span><\/span><\/p>\n
\n
- Run the script for single ip and additional ports to detect SolarWinds Orion Products.<\/span><\/span><\/li>\n<\/ol>\n
\u00a0 \u00a0python3 orionScanner.py -t 192.168.0.1 -a 8889<\/span><\/span><\/p>\n<\/div>\n
<\/strong><\/span><\/span><\/h2>\n
Reference<\/strong><\/span><\/span><\/h2>\n
<\/p>\n
As part of the global detection rules that only triggered alerts, we developed automated scripts to detect the vulnerabilities.<\/span><\/span><\/p>\n
There is no doubt that this is one of the biggest cyber attacks mounted in the recent years. 18,000 customers world-wide lie exposed due to the SolarWinds breach and the ripple effect of this incident has caused the company\u2019s stocks to plummet down. And that\u2019s not all.\u00a0<\/span><\/span><\/p>\n
Moody\u2019s Investors Service said that they would be downgrading the company\u2019s rating citing the \u201cpotential for reputational damage, material loss of customers, a slowdown in business performance and high remediation and legal costs\u201d.\u00a0<\/span><\/span><\/p>\n
Truly it does take one cyber incident to lose years of reputation. Incidents such as these reinforce several lessons to learn. Threat actors need only one gap to breach into your system and once there, they may stay on for many months biding their time to mount their attack or to spy on confidential data. Lastly Supply chain attacks are on the rise and the only viable way to safeguard is to invest more on cybersecurity and adopt a continuous vulnerability management process.<\/span><\/span><\/p>\n
Related Blogs<\/strong><\/h2>\n
SolarWinds Vulnerability Analysis<\/a>
\nSolarWinds: Top Scanners miss vulnerabilities<\/a><\/span><\/span>
\nFireEye’s Stolen Pentesting Tools<\/a><\/span><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"Popular scanners such as Tenable, Qualys and Nexpose are missing 48 vulnerabilities out of 102 vulnerabilities. To help 18000 customers who have been affected, CSW team has come up with a script that would help detect SolarWinds Orion Product running on your network.<\/p>\n","protected":false},"author":1,"featured_media":7574,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[82,80],"tags":[107,279,339,250,141,338,337],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts\/7573"}],"collection":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/comments?post=7573"}],"version-history":[{"count":2,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts\/7573\/revisions"}],"predecessor-version":[{"id":11789,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts\/7573\/revisions\/11789"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/media\/7574"}],"wp:attachment":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/media?parent=7573"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/categories?post=7573"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/tags?post=7573"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}