This page covers the SolarWinds response to both SUNBURST and SUPERNOVA. For information about SUNBURST, go here. For information about SUPERNOVA, go here.
SolarWinds was the victim of a cyberattack to our systems that inserted a vulnerability (SUNBURST) within our Orion® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run. This attack was a very sophisticated supply chain attack, which refers to a disruption in a standard process resulting in a compromised result with a goal of being able to attack subsequent users of the software. In this case, it appears that the code was intended to be used in a targeted way as its exploitation requires manual intervention. We’ve been advised that the nature of this attack indicates that it may have been conducted by an outside nation state, but SolarWinds has not verified the identity of the attacker.
The Cybersecurity and Infrastructure Security Agency (CISA) Computer Emergency Readiness Team (CERT), part of the Department of Homeland Security (DHS), CERT issued Emergency Directive 21-01 on December 13, 2020 regarding this issue, and has updated their guidance as part of our ongoing coordination with the agency. The latest information can be found on CISA’s Supply Chain Compromise page and continues to be updated as we learn more.
A detailed Frequently Asked Questions (FAQ) page is available here, and we intend to update this page as we learn more information.
We want to assure you we’ve removed the software builds known to be affected by the SUNBURST vulnerability from our download sites.
Additionally, we want you to know that, while our investigations are early and ongoing, based on our investigations to date, we are not aware that this SUNBURST vulnerability affects other versions of Orion Platform products. Also, while we are still investigating our non-Orion products, we have not seen any evidence that they are impacted by the SUNBURST vulnerability.
If you aren't sure which version of the Orion Platform you are using, see directions on how to check that here. To check which hotfix updates you have applied, please go here.
Known affected products: Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, or with 2020.2 HF 1, including:
Application Centric Monitor (ACM) Database Performance Analyzer Enterprise Operations Console (EOC) High Availability (HA) IP Address Manager (IPAM) Log Analyzer (LA) Network Automation Manager (NAM) Network Configuration Manager (NCM) Network Operations Manager (NOM) User Device Tracker (UDT) |
Network Performance Monitor (NPM) NetFlow Traffic Analyzer (NTA) Server & Application Monitor (SAM) Server Configuration Monitor (SCM) Storage Resource Monitor (SRM) Virtualization Manager (VMAN) VoIP & Network Quality Manager (VNQM) Web Performance Monitor (WPM) |
*NOTE: Please note DPAIM is an integration module and is not the same as Database Performance Analyzer (DPA), which we do not believe is affected.
SolarWinds products NOT KNOWN TO BE AFFECTED by this security vulnerability:
8Man Access Rights Manager (ARM) AppOptics Backup Document Backup Profiler Backup Server Backup Workstation CatTools Dameware Mini Remote Control Dameware Patch Manager Dameware Remote Everywhere Dameware Remote Manager Database Performance Analyzer (DPA) Database Performance Monitor (DPM) DNSstuff Engineer’s Toolset Engineer's Web Toolset FailOver Engine Firewall Security Monitor Identity Monitor ipMonitor Kiwi CatTools Kiwi Log Viewer Kiwi Syslog Server LANSurveyor Librato Log & Event Manager (LEM) Log and Event Manager Workstation Edition Loggly Mobile Admin Network Topology Mapper (NTM) Papertrail Patch Manager Pingdom Pingdom Server Monitor Security Event Manager (SEM) Security Event Manager Workstation Edition Server Profiler |
Service Desk Serv-U FTP Server Serv-U Gateway Serv-U MFT Server Storage Manager Storage Profiler Threat Monitor Virtualization Profiler Web Help Desk SQL Sentry DB Sentry V Sentry Win Sentry BI Sentry SentryOne Document SentryOne Test Task Factory DBA xPress Plan Explorer APS Sentry DW Sentry SQL Sentry Essentials SentryOne Monitor BI xPress
SolarWinds MSP Products: N-central – Probe N-central – Topology N-central – NetPath N-central NetPath – Server RMM Backup Disaster Recovery M365 Backup Backup Mail Assure SpamExperts MSP Manager PassPortal Take Control Patch Automation Manager Webprotection |
We have also found no evidence that any of our free tools, Orion agents, or Web Performance Monitor (WPM) Players are impacted by SUNBURST.
Over the last few days, third parties and the media publicly reported on a malware, now referred to as SUPERNOVA. Based on our investigation, this malware could be deployed through an exploitation of a vulnerability in the Orion Platform. Like other software companies, we seek to responsibly disclose vulnerabilities in our products to our customers while also mitigating the risk that bad actors seek to exploit those vulnerabilities by releasing updates to our products that remediate these vulnerabilities before we disclose them.
The SUPERNOVA malware consisted of two components. The first was a malicious, unsigned webshell .dll “app_web_logoimagehandler.ashx.b6031896.dll” specifically written to be used on the SolarWinds Orion Platform. The second is the utilization of a vulnerability in the Orion Platform to enable deployment of the malicious code. The vulnerability in the Orion Platform has been resolved in the latest updates.
We constantly work to enhance the security of our products and to protect our customers and ourselves because hackers and other cybercriminals are always seeking news ways to find and attack their victims. We work closely with our customers to address and remediate any potential concerns, and we encourage all customers to run only supported versions of our products and to upgrade to the latest versions to the get the full benefit of our updates, improvements, and enhancements.
RECOMMENDED ACTIONS
We recommend that all active maintenance customers of Orion Platform products, except those customers already on Orion Platform versions 2019.4 HF 6 or 2020.2.1 HF 2, apply the latest updates related to the version of the product they have deployed, as soon as possible. Please visit the Security Advisory page for instructions for and access to these updates.
These updates include versions:
- 2019.4 HF 6 (released December 14, 2020)
- 2020.2.1 HF 2 (released December 15, 2020)
- 2019.2 SUPERNOVA Patch (released December 23, 2020)
- 2018.4 SUPERNOVA Patch (released December 23, 2020)
- 2018.2 SUPERNOVA Patch (released December 23, 2020)
- If you have already upgraded to 2020.2.1 HF 2 or 2019.4 HF 6, both the SUNBURST and SUPERNOVA vulnerabilities have been addressed and no further action is required at this time.
- If you have not already upgraded to 2020.2.1 HF 2 or 2019.4 HF 6, follow the guidance identified for your current version of the Orion Platform below to help ensure the security of your environment.
First, identify the version of the Orion Platform software you are using by reviewing the directions on how to check that here or refer to the image below. To check which updates you have applied, please go here.
From Orion Web Console
Second, we recommend taking the steps related to your use of your version of the SolarWinds Orion Platform per the table below:
Orion Platform Version |
Known Affected by SUNBURST? |
Known Vulnerable to SUPERNOVA? |
Recommended Action |
Direct Link |
Orion Platform 2020.2.1 HF 2 |
NO |
NO |
No action needed |
No action needed |
Orion Platform 2020.2.1 HF 1 |
NO |
YES |
Upgrade to 2020.2.1 HF 2 |
|
Orion Platform 2020.2.1 |
NO |
YES |
Upgrade to 2020.2.1 HF 2 |
|
Orion Platform 2020.2 HF 1 |
YES |
YES |
Upgrade to 2020.2.1 HF 2 |
|
Orion Platform 2020.2 |
YES |
YES |
Upgrade to 2020.2.1 HF 2 |
|
Orion Platform 2019.4 HF 6 |
NO |
NO |
No action needed |
No action needed |
Orion Platform 2019.4 HF 5 |
YES |
YES |
Upgrade to 2019.4 HF 6 |
|
Orion Platform 2019.4 HF 4 |
NO |
YES |
Upgrade to 2019.4 HF 6 |
|
Orion Platform 2019.4 HF 3 |
NO |
YES |
Upgrade to 2019.4 HF 6 |
|
Orion Platform 2019.4 HF 2 |
NO |
YES |
Upgrade to 2019.4 HF 6 |
|
Orion Platform 2019.4 HF 1 |
NO |
YES |
Upgrade to 2019.4 HF 6 |
|
Orion Platform 2019.4 |
NO* |
YES |
Upgrade to 2019.4 HF 6 |
|
Orion Platform 2019.2 HF 3 |
NO |
YES |
Upgrade to 2020.2.1 HF 2 |
To upgrade, go to customerportal.solarwinds.com |
Orion Platform 2019.2 HF 2 |
NO |
YES |
Upgrade to 2020.2.1 HF 2 |
To upgrade, go to customerportal.solarwinds.com |
Orion Platform 2019.2 HF 1 |
NO |
YES |
Upgrade to 2020.2.1 HF 2 |
To upgrade, go to customerportal.solarwinds.com |
Orion Platform 2019.2 |
NO |
YES |
Upgrade to 2020.2.1 HF 2 |
To upgrade, go to customerportal.solarwinds.com |
Orion Platform 2018.4 |
NO |
YES |
Upgrade to 2020.2.1 HF2 (or ensure you are running 2018.4 HF3 AND apply the 2018.4 HF3 Security Patch) |
To upgrade, go to customerportal.solarwinds.com |
Orion Platform 2018.2 |
NO |
YES |
Upgrade to 2020.2.1 HF2 (or ensure you are running 2018.2 HF6 AND apply the 2018.2 HF6 Security Patch) |
To upgrade, go to customerportal.solarwinds.com |
All prior versions |
NO |
YES |
Discontinue use |
All recommended upgrade versions are currently available at customerportal.solarwinds.com.
All hotfix updates are cumulative and can be installed from any earlier version. There is no need to install previously released hotfix updates. You may need to synchronize your license prior to applying the hotfix. Please follow the steps here to kick off the synchronization of your license.
*If you have disabled outward communication from your Orion license, please follow the “Activate License Offline” section from here. Once you have successfully synched your license, please run the installer to install the hotfix.
If you’re unable to upgrade at this time, we have provided a script that customers can install to temporarily protect their environment against the SUPERNOVA malware. The script is available at https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip.
If you cannot upgrade immediately, please follow the guidelines available here for your Orion Platform instance. The primary mitigation steps include having your Orion Platform installed behind firewalls, disabling internet access for the Orion Platform, and limiting the ports and connections to only what is required to operate your platform.
WHAT ARE WE DOING TO HELP?
Our focus has been on helping our customers protect the security of their environments. Our commitment to our customers remains high, and we are introducing a new program designed to address the issues that our customers face.
We have developed a program to provide professional consulting resources experienced with the Orion Platform and products to assist customers who need guidance on or support upgrading to the latest hotfix updates. These consulting services will be provided at no charge to our active maintenance Orion Platform product customers. We want to make sure that customers working to secure their environments have the help and assistance they need from knowledgeable resources.
We intend to provide more information and details regarding this program next week on the Security Advisory page.
We continue to work with leading security experts in our investigations to help further secure our products and internal systems.