WASHINGTON – A cybersecurity company has identified three new “critical” flaws in the software produced by SolarWinds, the company that was exploited in what American officials said last year was a massive invasion of US corporate and government websites by Russian intelligence.
Security company Trustwave said it had informed SolarWinds of the vulnerabilities, which, according to Trustwave, may have allowed an attacker to compromise SolarWinds’ customer networks.
SolarWinds released a patch to correct security flaws, and neither company found evidence that hackers exploited the vulnerabilities. However, the findings raise new security concerns at SolarWinds, which provides information technology software to government agencies and most Fortune 500 companies.
The potential damage, if the flaws have been exploited, is difficult to quantify. In theory, however, this could have resulted in the exposure of consumer data to corporate and government secrets.
After the SolarWinds hack went public in December, “we decided that we wanted to test ourselves to see if SolarWinds products are safe,” said Ziv Mador, vice president of security research at Trustwave. “In two weeks, [we] found three serious vulnerabilities. “
In a statement to NBC News, SolarWinds said: “Vulnerabilities of varying degrees are common in all software products, but we understand that there is an intensified scrutiny at SolarWinds now.”
The company said the flaws were corrected through software patches.
“Following the recent attack by a nation-state against a number of American software providers, including SolarWinds, we have collaborated with our industry partners and government agencies to advance our goal of making SolarWinds the most secure and reliable software company,” said the statement. “We have always been committed to working with our customers and other organizations to identify and remedy any vulnerabilities in our product portfolio responsibly. Today’s announcement aligns with this process.”
The lesson, Mador said, is that software vendors must continually subject their products to what is known as a “penetration test”, in which hackers investigate weaknesses that can be fixed before they are exploited.
“In almost 100 percent of the applications we tested, we found vulnerabilities,” he said. “Some serious, some mild.”
Trustwave first approached SolarWinds about the flaws in late December, said Mador, and gave it time to release the patch. Trustwave will wait another week to launch the “proof of concept”, showing exactly how the flaws can be exploited, he said.
Reuters reported on Tuesday that Chinese hackers exploited a SolarWinds flaw to gain access to the Department of Agriculture. SolarWinds said in a statement that hackers first hacked into the Department of Agriculture’s network and then added malicious code to the SolarWinds Orion software on the customer’s network.
“We are aware of an instance of this event and this is separate from the broad and sophisticated attack that targeted several software companies as vectors,” added the statement.
