The US Cybersecurity and Infrastructure Security Agency has updated its official guidance for dealing with the fallout from the SolarWinds supply chain attack.
In an update[1] posted late last night, CISA said that all US government agencies that still run SolarWinds Orion platforms must update to the latest 2020.2.1HF2 version by the end of the year.
Agencies that can't update by that deadline are to take all Orion systems offline, per CISA's original guidance, first issued on December 18.
The guidance update comes after security researchers uncovered a new major vulnerability in the SolarWinds Orion app over the Christmas holiday.
Tracked as CVE-2020-10148[2], this vulnerability is an authentication bypass in the Orion API that allows attackers to execute remote code on Orion installations.
This vulnerability was being exploited in the wild to install the Supernova malware on servers where the Orion platform was installed, in attacks separate from the SolarWinds supply chain incident[3].
Orion update verified by the NSA
As part of the original SolarWinds supply chain attack, hackers broke into SolarWinds' internal network and altered several versions of the Orion app to add malware.
All Orion app updates, versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, were tainted with a malware strain named Sunburst (or Solorigate).
This malware is believed to have been installed by at least 18,000 companies, according to SolarWinds. Sunburst was only a first-stage reconnaissance module that allowed the attackers to escalate infections to a second-stage, where they deployed a malware strain named Teardrop.
SolarWinds released the 2020.2.1HF2 version on December 15 to address the attack, claiming that installing the update would remove any traces of the Sunburst-related code[4] from their systems (present inside victim networks after installing the originally tainted Orion