An Update on SUPERNOVA and Our Support for Customers

Over the last few days, third parties and the media publicly reported on a malware, now referred to as SUPERNOVA. Based on our investigation, this malware could be deployed through an exploitation of a vulnerability in the Orion Platform. Like other software companies, we seek to responsibly disclose vulnerabilities in our products to our customers while also mitigating the risk that bad actors seek to exploit those vulnerabilities by releasing updates to our products before we disclose the vulnerabilities.

We provided two hotfix updates on December 14 and 15, 2020 that contained security enhancements, including those designed to prevent certain versions of our Orion Platform products from being exploited in a SUPERNOVA attack. Today, we released similar updates for all other supported versions of our Orion Platform products and a fix for customers on unsupported versions of these products. Now that these updates are available, we are providing the information that Orion Platform customers need to mitigate this issue.

For more information on SUPERNOVA, please see our Security Advisory page at solarwinds.com/securityadvisory and our FAQ at solarwinds.com/securityadvisory/faq.

WHAT SHOULD CUSTOMERS DO?

If you have already upgraded to Orion Platform versions 2019.4 HF 6 or 2020.2.1 HF 2, you are protected against a potential SUPERNOVA attack exploiting this vulnerability.

We recommend that all active maintenance customers of Orion Platform products, except those customers already on Orion Platform versions 2019.4 HF 6 or 2020.2.1 HF 2, apply the latest updates related to the version of the product they have deployed, as soon as possible. Please visit the Security Advisory page at solarwinds.com/securityadvisory for instructions for and access to these updates.

These updates include versions:

  • 2019.4 HF 6 (released on December 14, 2020)
  • 2020.2.1 HF 2 (released on December 15, 2020)
  • 2019.2 Security Patch (released on December 23, 2020)
  • 2018.4 Security Patch (released on December 23, 2020)
  • 2018.2 Security Patch (released on December 23, 2020)

If you’re unable to upgrade at this time, aren’t on active maintenance, or if you’re running a version prior to 2018.2, we have provided a script that you can quickly install to help protect your environment. The script is available on our Security Advisory page at solarwinds.com/securityadvisory.

Please also refer to our security best practices that are available on the SolarWinds Security Advisory page at solarwinds.com/securityadvisory and FAQ at solarwinds.com/securityadvisory/faq.

Our focus has been on helping our customers protect the security of their environments. Our commitment to our customers remains high, and we are introducing a new program designed to address the issues that our customers face.

Complimentary Professional Services Program. We have developed a program to provide professional consulting resources experienced with the Orion Platform and products to assist customers who need guidance on or support upgrading to the latest hotfix updates. These consulting services will be provided at no charge to our active maintenance Orion Platform product customers. We want to make sure that customers working to secure their environments have the help and assistance they need from knowledgeable resources.

We intend to provide more information and details regarding this program next week on the Security Advisory page at solarwinds.com/securityadvisory.

We continue to work with leading security experts in our investigations to help further secure our products and internal systems.

Forward-Looking Statements

This Blog Post contains “forward-looking” statements, which are subject to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including statements regarding SolarWinds’ understanding of the vulnerability in its Orion Platform products related to the SUPERNOVA malware, the ability of any version or hotfix updates and the script to prevent a SUPERNOVA attack, what customers should do to prevent a SUPERNOVA attack and the ability of our professional services program to provide the help and assistance they need. The forward-looking statements in this Blog Post are based on management's beliefs and assumptions and on information currently available to management, which may change as we continue to address the vulnerability in our products, investigate the SUNBURST vulnerability and related matters and as new or different information is discovered about these matters or generally. Forward-looking statements include all statements that are not historical facts and may be identified by terms such as "aim," "anticipate," "believe," "can," "could," "seek," "should," "feel," "expect," "will," "would," "plan," "intend," "estimate," "continue," "may," or similar expressions and the negatives of those terms. Forward-looking statements involve known and unknown risks, uncertainties and other factors that may cause actual results, performance or achievements to be materially different from any future results, performance or achievements expressed or implied by the forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to, (a) the discovery of new or different information regarding the SUPERNOVA malware, the SUNBURST vulnerability and related security incidents or of additional vulnerabilities within, or attacks on, SolarWinds’ products, services and systems, (b) the possibility that SolarWinds’ mitigation and remediation efforts with respect to the SUPERNOVA malware or the SUNBURST vulnerability and related security incidents may not be successful, (c) the possibility that customer, personnel or other data was exfiltrated as a result of the SUPERNOVA malware or the SUNBURST vulnerability and related security incidents, (d) numerous financial, legal, reputational and other risks to SolarWinds related to the SUPERNOVA malware or the SUNBURST vulnerability and related security incidents, including risks that the incidents may result in the loss, compromise or corruption of data, loss of business, severe reputational damage adversely affecting customer or vendor relationships and investor confidence, U.S. or foreign regulatory investigations and enforcement actions, litigation, indemnity obligations, damages for contractual breach, penalties for violation of applicable laws or regulations, significant costs for remediation and the incurrence of other liabilities, (e) risks that SolarWinds’ insurance coverage, including coverage relating to certain security and privacy damages and claim expenses, may not be available or sufficient to compensate for all liabilities SolarWinds incurs related to these matters and (f) such other risks and uncertainties described more fully in documents filed with or furnished to the U.S. Securities and Exchange Commission by SolarWinds, including the risk factors discussed in SolarWinds’ Annual Report on Form 10-K for the period ended December 31, 2019 filed on February 24, 2020, its Quarterly Report on Form 10-Q for the quarter ended March 31, 2020 filed on May 8, 2020, its Quarterly Report on Form 10-Q for the quarter ended June 30, 2020 filed on August 10, 2020 and its Quarterly Report on Form 10-Q for the quarter ended September 30, 2020 filed on November 5, 2020. All information provided in this Blog Post is as of the date hereof and SolarWinds undertakes no duty to update this information except as required by law.
Anonymous
  •  The CISA alert recommends 3 options for mitigation. Please refer to the Mitigation section here: https://us-cert.cisa.gov/ncas/alerts/aa20-352a

  • for those running older version of PowerShell, replace line #53 of the mitigation script:

    $orionWebRoot = Get-ItemPropertyValue $orionWebRootKey -Name "Web Root Dir"

    by:

    $orionWebRoot = (Get-ItemPropertyValue $orionWebRootKey)."Web Root Dir"

    Also, may I suggest that a check condition is added prior URL-Rewrite installation is attempted? Replacing lines #24 to 49 with the following block would achieve this.

    $iisUrlRewritePath = join-Path $env:SystemRoot "\system32\inetsrv\rewrite.dll"
    $iisIsInstalled = Test-Path $iisUrlRewritePath
    IF ($iisIsInstalled -eq $false) {
    	write-host "Url-Rewrite not found in the system, initiating download...  " 
    	#setup the folders
    	$swAppDataFolder = Join-Path $env:ProgramData 'SolarWinds'
    	$installersFolder = Join-Path $swAppDataFolder 'Installers'
    	$installerLogFolder = Join-Path $swAppDataFolder "Logs\Installer\$(Get-Date -Format 'yyyy-MM-dd_HH-mm-ss')"
    
    	New-Item $installersFolder -ItemType Directory -ErrorAction SilentlyContinue | Out-Null
    	New-Item $installerLogFolder -ItemType Directory -ErrorAction SilentlyContinue | Out-Null
    
    	# download and install URL Rewrite
    	[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
    
    	Write-Host 'Installing IIS URL Rewrite' -ForegroundColor Green
    	$rewriteFileName = 'rewrite_amd64_en-US.msi'
    	$destinationInstaller = Join-Path $installersFolder rewriteFileName
    	Invoke-WebRequest -Uri "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/$rewriteFileName" -OutFile $destinationInstaller -Method Get
    
    	$installerLog = Join-Path $installerLogFolder "$rewriteFileName.log"
    
    	& $env:comspec /d /c msiexec /i "$destinationInstaller" /quiet /qn /log "$installerLog"
    	[bool]$succeeded = $?
    	[long]$errorCode = $Global:LASTEXITCODE
    	if (($succeeded -eq $false -and $errorCode -eq 0) -or ($errorCode -ne 0))
    		{
    		Write-Host "Failed to execute the installer ($errorCode). Please see install log at '$installerLog'." -ForegroundColor Red
    		exit 1
    		}
    	}
    	Else {
    		#Skipping the installation
    		write-host "Url-Rewrite found in the system. No download and install needed..."
    		}
  • We applied both the Hot Fixes in our environment and the upgrade was successful without any issues. Our Orion Pollers had access to the Internet which we have now disabled. Based on SolarWinds Recommendations, do we need to rebuild our SolarWinds Environment, since we had access to the internet? Our Internal Security Team is still doing investigation and we had to shutdown SolarWinds environment as we wait for further updates. If we have to rebuild our environment, will SolarWinds provide professional services for that as well?