Using Puppet to detect the SolarWinds Orion compromise

See more posts about: Automation and Tips & How To

Summary

SolarWinds' widely-used Orion IT platform has been the subject of a supply-chain compromise by an unidentified threat actor. The attack was discovered in December 2020, but it appears to have begun in March 2020 when the attacker used trojan malware to open a backdoor on SolarWinds customers around the world. This malware was named SUNBURST by researchers, but may also be referred to as “Solorigate” or simply the “SolarWinds compromise.”

Texas-based SolarWinds’ customers include US government agencies and the majority of Fortune 500 companies. Given the nature of the affected organizations, SUNBURST may prove to be one of the most consequential cyberattacks to date.

Supply-chain attacks take advantage of the trusted relationship between the supplier (SolarWinds) and their customers. In this instance, the trojan was hidden inside a software update for the Orion Platform which was downloaded by up to 18,000 unsuspecting customers.

Affected Platforms

The following versions of the Orion Platform software are affected:

Affected VersionFixed VersionFixed Version Release Date
2019.4 HF52019.4 HF6December 2020
2020.2 (no hotfix)2020.2.1 HF2December 2020
2020.2 HF12020.2.1 HF2December 2020

Update packages are available from the SolarWinds customer portal.

How can Puppet help detect SUNBURST?

Using Puppet’s automation capabilities, you can detect if a node in your environment has an instance of SolarWinds that could be vulnerable to SUNBURST. Here’s how:

Puppet Remediate and vulnerability scanners

Puppet Remediate integrates with the following vulnerability scanners, each of which can detect SUNBURST:

  • Qualys
  • Rapid7
  • Tenable.io
  • Tenable.sc

Connect your Vulnerability Scanner to Puppet Remediate if you haven’t already done so, then:

  1. Select “Vulnerabilities” from the navigation menu.
  2. Create a filter to show only vulnerabilities related to SolarWinds.
Puppet remediate create
Puppet remediate filter

Puppet Remediate and Tasks

Puppet tasks can identify nodes running the SolarWinds Orion Platform; for example, the solarwinds_orion module contains a “version” task which detects the version & hotfix. (Please note this task does not check for or detect symptoms of SUNBURST.)

Download the solarwinds_orion module and add it to Puppet Remediate (using “Manage tasks” on the navigation menu), then run the task to find SolarWinds instances:

Puppet remediate solarwinds

Puppet Enterprise

Install the solarwinds_orion using your code management workflow, then run the task to find SolarWinds instances:

Puppet remediate jobs

Puppet Bolt

Install the solarwinds_orion module bolt module add cliveweir-solarwinds_orion then run the task using bolt:

❯ bolt task run solarwinds_orion::version -i inventory.yaml -t "*"
Started on genuine-plum.delivery.puppetlabs.net...
Started on superior-soy.delivery.puppetlabs.net...
Finished on superior-soy.delivery.puppetlabs.net:
  {
    "status": "SolarWinds Orion is not installed",
    "version": "",
    "hotfix": 0
  }
Finished on genuine-plum.delivery.puppetlabs.net:
  {
    "status": "SolarWinds Orion 2020.2.4 (no hotfix) detected",
    "version": "2020.2.4",
    "hotfix": 0
  }
Successful on 2 targets: genuine-plum.delivery.puppetlabs.net,superior-soy.delivery.puppetlabs.net
Ran on 2 targets in 12.03 sec

Use this output to determine if the SolarWinds Orion version detected on any node is vulnerable to SUNBURST.

Learn More

  • SolarWinds has published a security advisory on this incident. This includes details of affected software and the vendor’s advice on resolving the specific issue of the malicious modification of their software.
  • FireEye, who discovered the compromise, has published a blog on its investigation. This includes extensive technical details which may help in investigation of a suspected server compromise.
  • Try Puppet Remediate.
  • More about Puppet Enterprise.
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.