Using Puppet to detect the SolarWinds Orion compromise
SolarWinds' widely-used Orion IT platform has been the subject of a supply-chain compromise by an unidentified threat actor. The attack was discovered in December 2020, but it appears to have begun in March 2020 when the attacker used trojan malware to open a backdoor on SolarWinds customers around the world. This malware was named SUNBURST by researchers, but may also be referred to as “Solorigate” or simply the “SolarWinds compromise.”
Texas-based SolarWinds’ customers include US government agencies and the majority of Fortune 500 companies. Given the nature of the affected organizations, SUNBURST may prove to be one of the most consequential cyberattacks to date.
Supply-chain attacks take advantage of the trusted relationship between the supplier (SolarWinds) and their customers. In this instance, the trojan was hidden inside a software update for the Orion Platform which was downloaded by up to 18,000 unsuspecting customers.
The following versions of the Orion Platform software are affected:
|Affected Version||Fixed Version||Fixed Version Release Date|
|2019.4 HF5||2019.4 HF6||December 2020|
|2020.2 (no hotfix)||2020.2.1 HF2||December 2020|
|2020.2 HF1||2020.2.1 HF2||December 2020|
Update packages are available from the SolarWinds customer portal.
How can Puppet help detect SUNBURST?
Using Puppet’s automation capabilities, you can detect if a node in your environment has an instance of SolarWinds that could be vulnerable to SUNBURST. Here’s how:
Puppet Remediate and vulnerability scanners
Puppet Remediate integrates with the following vulnerability scanners, each of which can detect SUNBURST:
Connect your Vulnerability Scanner to Puppet Remediate if you haven’t already done so, then:
- Select “Vulnerabilities” from the navigation menu.
- Create a filter to show only vulnerabilities related to SolarWinds.
Puppet Remediate and Tasks
Puppet tasks can identify nodes running the SolarWinds Orion Platform; for example, the solarwinds_orion module contains a “version” task which detects the version & hotfix. (Please note this task does not check for or detect symptoms of SUNBURST.)
Download the solarwinds_orion module and add it to Puppet Remediate (using “Manage tasks” on the navigation menu), then run the task to find SolarWinds instances:
Install the solarwinds_orion using your code management workflow, then run the task to find SolarWinds instances:
Install the solarwinds_orion module
bolt module add cliveweir-solarwinds_orion then run the task using bolt:
Use this output to determine if the SolarWinds Orion version detected on any node is vulnerable to SUNBURST.
- SolarWinds has published a security advisory on this incident. This includes details of affected software and the vendor’s advice on resolving the specific issue of the malicious modification of their software.
- FireEye, who discovered the compromise, has published a blog on its investigation. This includes extensive technical details which may help in investigation of a suspected server compromise.
- Try Puppet Remediate.
- More about Puppet Enterprise.