Once confirmed as vulnerable, the PoC exploit will attempt to retrieve the web.config file used in IIS and SolarWinds Orion potentially leading to the exposure of sensitive server configuration data (Figure 3). Having requested the /Orion/ file, the location header is queried to determine if a valid version for exploitation can be found (Figure 2). Published to GitHub 28 December 2020 as a ‘Gist’ by a known security researcher named ‘0xsha’, the proof-of-concept (PoC) local file disclosure/inclusion (LFD/LFI), written in Python, allows a vulnerable installation to be determined before attempting to gather both configuration data and credentials (Figure 1).įigure 1 – PoC Python script execution Vulnerable File Version Furthermore, those that find themselves with vulnerable installations should take steps to investigate a potential breach. Given the increase in scanning activity along with widespread press and social media coverage, organizations are again reminded to follow earlier recommendations and isolate vulnerable hosts before updating SolarWinds Orion to the latest version as soon as possible. In the first instance, the public release of a proof-of-concept (PoC) local file disclosure/inclusion (LFD/LFI) exploit on 28 December 2020 allows configuration and credentials to be stolen and as such has lead to multiple threat actors conducting widespread scanning activity in order to identify and target vulnerable SolarWinds Orion installations.
It’s also easy to implement this with other log management systems.Supplementing the SolarWinds Security Bulletin released in mid-December 2020, detailing a suspected nation-state threat actor introducing a backdoor into SolarWinds Orion versions 2019.4 HF5, 2020.2 HF1, this bulletin provides an update based on recent observations in late December 2020 and early January 2021. These context-rich logs in SolarWinds Loggly ® and SolarWinds Papertrail ™ allow users to isolate individual requests across all systems for better diagnostics. Then, by annotating this context on associated log lines, you can create logs with distributed context. AppOptics provides this capability by using distributed tracing to generate and propagate context (i.e., trace IDs) throughout the lifetime of requests. On its own, tracing is impressive, but adding a tightly integrated, single-click drill down directly from a transaction trace into the associated logs for those requests is game-changing. Today, you can get to the root cause of a performance problem by using distributed tracing. Why is this important? It can be hard to track the root cause of a problem from distributed systems’ logs due to the lack of a connection between logs. Troubleshooting performance problems with APM and logs together can provide exponential value if you can easily correlate poorly performing transactions with the associated logs.
When combined, all three provide what you need to quickly and accurately identify what’s causing your applications’ poor performance. There are three powerful ways AppOptics helps you get to the root cause of performance problems: distributed tracing, exception tracking, and live code profiling. This is where the AppOptics troubleshooting triple threat comes in.
How much time has the application been down? How long have your users been experiencing a problem? How much time will it take to get your application up and running again? Stuff happens, and when it does, you need to get at the root cause fast and minimize the time it takes to get your application back to performing as designed. When you think about it, it always seems to come down to time.