In a rare occurrence, the Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive (21-01 – “Mitigate SolarWinds Orion Code Compromise”) on December 13, which included steps that government entities should take to mitigate and secure their networks after the compromise of SolarWinds Orion product became known. Government agencies using the SolarWinds Orion products were given until noon, December 14 to provide a completion report.
CISA Emergency Directive
The CISA Emergency Directive, only the fifth in the history of CISA, notes SolarWinds Orion products are being exploited by unidentified “malicious actors.” CISA Acting Director Brandon Wales tells us, “The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks. Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”
Industry and media are less diplomatic than CISA and has attributed the compromise to a nation state, specifically Russia. Identified government agencies include, Department of Homeland Security, Department of State, National Institutes of Health, Department of Commerce and the United States Treasury.
SolarWinds, in a SEC Form 8K submission, dated December 14, 2020, notes the “vulnerability was inserted within the Orion products and existed in updates released between March and June 2020, was introduces as a result of a compromise of the Orion software build system and was not present in the code repository of the Orion products.” The Form 8K goes on to inform that SolarWinds Orion has over 300,000 customers of which 33,000 are currently “active maintenance customers” during the period of exposure. The company assesses that “less than 18,000” of their customers “may have had an installation of the Orion products that contained this vulnerability.”
Interestingly, Microsoft Office 365 is highlighted by the company as their email and office productivity tool, and notes that the company’s email was compromised and may have provided an avenue into the company’s office productivity tools. Microsoft and SolarWinds are collaborating in their investigation to determine whether the compromise is associated.
According to CISA, the adversary successfully compromised the vendor’s products to “gain access to network traffic management systems.” The CISA directive instructs all entities within the U.S. government to disconnect affected devices, emphasizing that it “is the only mitigation measure currently available.” And then continues to provide specific steps which government agency information security teams should take to comply with the mitigation instructions.
CISA Report Format
CISA’s required completion report template (Excel spreadsheet) to be forwarded via email to CISA and the spreadsheet is to include information from all subcomponents within a given agency’s footprint and signed by the CIO of the agency. The eight data points are:
- Total number of ALL SolarWinds Orion instances in operation by the agency as of close of business December 11, 2020.
- Total number of SolarWinds Orion instances identified in question 1 running versions 2019.4 through 2020.2.1 HF1 as of close of business on December 11, 2020.
- Were system memory and/or host operating systems for all instance of SolarWinds Orion versions 2019.4 through 2020.2.1.HF1 imaged pursuant to Required Action 1a?
- Provide detailed narrative descriptions of actions taken under Action 1a, including versions and number of affected instances.
- Were all instances of SolarWinds Orion versions 2019.4 through 2020.2.1.HF1 disconnected or powered down, pursuant to Required Action 2?
- Provide detailed narrative description of actions taken under Action 2, including the versions and numbers of affected instances.
- If related incidents were reported to CISA per Action 3, please provide incident tracking numbers (both internal and as assigned by CISA).
- Additional comments, e.g. constraints impacting your agency’s ability to update, support needs, observations, challenges and technical issues.
While the CISA Emergency Directive was addressed to government entities, if your company, institute, or agency is one of the “less than 18,000” SolarWinds Orion customers who received their automated updates via the vendor, as described in the SEC Form 8K, then the instructions within the Emergency Directive should be taken on board as your initial mitigation step – unplug the application/servers from your network.