APP: SolarWinds Orion Platform MSMQ Insecure Deserialization
This signature detects attempts to exploit a known vulnerability against SolarWinds Orion Platform MSMQ. A successful attack can lead to arbitrary code execution with SYSTEM context.
Extended Description
The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn't set permissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that the Collector Service will process. Additionally, upon processing of such messages, the service deserializes them in insecure manner, allowing remote arbitrary code execution as LocalSystem.
Affected Products
Solarwinds orion_platform
Short Name
APP:MISC:SOLARWINDS-MSMQ-INDES
Severity
Critical
Recommended
False
Recommended Action
Drop
Category
APP
Keywords
CVE-2021-25274 Deserialization Insecure MSMQ Orion Platform SolarWinds
Release Date
03/24/2021
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3415
Port
TCP/1801
False Positive
Unknown
Vendors
Solarwinds
CVSS Score
10.0