If you haven’t heard the news, a major exploit occurred in popular software from SolarWinds. We encourage you to review Alert AA20-352A from the Cybersecurity & Infrastructure Security Agency.
In order to assist our customers in remediating this threat, we have added a product definition to PRS for the compromised versions. While most anti-malware solutions will likely have addressed this by now, we offer this as an extra level of detection and confidence.
If PRS is working in your configuration and any of these programs are in your environment, you should already have this Product and be able to report on it. It is important to understand the exploit is in a dll file in certain versions of the software. We can not directly detect the dll or the presence of the exploit, but we can detect if the afflicted versions of the host program are present. As such, this is a method to flag systems that need further remediation. It is not a guarantee of exploit detection, nor any method of automatic remediation.
If you see Installs listed in your Products window for this new product, it is highly advised that you address these systems. You can right click on the product and choose Audit -> Audit Products (PROD x comp) to get a report of all computers with the listed variants above.
Getting the Definition
If you do not see the Product on your server, do not assume that you’re safe. Ensure that PRS checks are working on your server first. Go into KeyConfigure -> Config -> General Settings -> PRS. Verify the last check was successful. If not, click Contact Now and contact Sassafras Support if you’re seeing issues.
You can also manually get the definition in KeyConfigure -> Tasks -> Find Product Definitions. Type in solarwinds and search. You’ll see the below item in the list. Ensure it is checked (you can uncheck anything else potentially listed) and click Import.
Remember that we can only show data from systems that have reported in to the server. If you have machines without KeyAccess, you may want to address that as needed. If your Audit cycle is set to the default 2 weeks, you may have stale data. In KeyConfigure -> Config -> General Settings -> Audits you can set the default frequency at the top to daily in many environments (i.e. a couple thousand clients or less). Larger sites may want to consider potential traffic impact and server load with increased frequency. You can also always select a number of Computers and right click -> Request Audit to audit on demand. Once Computers have submitted audits, you can then trigger a Product Audit instead of waiting overnight. This again is in General Settings -> Audits -> Now ( button grayed out if currently in progress).
We hope this is helpful to anyone facing remediation of the compromise.