Researchers say SolarWind Orion's solar deployment could put API key at risk

The fallout from the SolarWinds Orion hack continues with some shareholders filing a class-action lawsuit against the executives, alleging they were misled about the company's security, and warned that Orion users' cloud applications Violations may occur.

Caution for Cloud Users Ermetic Ltd. based in Tel Aviv. A firm has argued in a blog post that users who deploy a version of the Orion Network Management Platform in the cloud with an infected update may be at risk as it would certainly be privileged. management functions.

There are three risks: Orion databases can store AWS and Azure API keys, Ermitic said, enabling an attacker to handle and compromise these accounts if accessed. If deployed on AWS or Azure, Orion may also have root API keys, enabling an attacker to gain full administrator privileges on the account on which Orion is deployed. Finally, Orion requires access to an identity and access management (IAM) identity, Ermetic argues, which could lead to compromise.

To mitigate these risks, Ermetic recommends organizations that have deployed infected versions of Orion to compromise and penetrate all stored credentials. Cloud Security researcher Rob Fuller has released SolarFlare, an open-source tool to generate a complete list of credentials in the oral database.

If cloud-based Orion deployments have sought root API keys for AWS / Azure accounts, a manual review of each identity and resource is required to determine the extent of exposure. And to meet the problem that Orion needs to access IAM detection, verify that its permission is only limited. If you decide to suspend your use of Orion, Iretic says, remove that identity altogether or, at the very least, revoke these privileges.

Other risks

Organizations around the world who use Orion are still scorching their environments after discovering last month that a sophisticated hacker compromised a platform update last spring that allowed the installation of backdoor . Out of an estimated 33,000 Orion users, 18,000 downloaded the infected update.

In addition to that agreement, the Palo Alto Network has identified a second vulnerability in Orion.

Meanwhile, SC Magazine reports that while some shareholders bought shares between February 24 and December 15, 2020, they have filed class-action lawsuits against SolarWinds and some top Texas executives. The class action has to be certified by a judge before going further. It claims that the company said in public documents that "significant expenditures were incurred to prevent security breaches", knowing that it or its update server should have an easily accessible password address of "Solarwinds123", And Orion had a vulnerability since mid-2020. .

The charges have not been proved in court.