Skip to main content

US government agencies told to patch SolarWinds flaws now

Zero-day attack
(Image credit: Shutterstock.com)

The US Cybersecurity and Infrastructure Security Agency (CISA) has asked all US government agencies to update their SolarWinds Orion installations to the latest version, by the end of business hours on December 31, 2020.

According to reports, CISA's Supplemental Guidance to Emergency Directive 21-01 orders all agencies using Solarwinds’ Orion to update to the latest 2020.2.1HF2 version. 

In case they are unable to meet this deadline, they are to take all their Orion systems offline, in compliance with CISA's original guidance, that was first issued on December 18.

NSA vetted

The directive follows the SolarWinds supply chain attack in which hackers broke into the software firm SolarWinds' and altered several versions of the Orion platform to add malware.

After the massive supply chain attack came to light, it was discovered that Orion versions 2019.4 through to 2020.2.1, that were released between March 2020 and June 2020, were tainted with malware named Sunburst and Supernova.

SolarWinds released the 2020.2.1HF2 version on December 15 to address the attack by eliminating every bit of the malicious code. This release has now been verified by the National Security Agency as well tweeted CISA yesterday, as it issued the supplemental guidance for its agencies.

In its directive CISA writes that “Given the number and nature of disclosed and undisclosed vulnerabilities in SolarWinds Orion, all instances that remain connected to federal networks must be updated to 2020.2.1 HF2 by COB December 31, 2020.” 

The agency further added that it will follow up “with additional supplemental guidance, to include further clarifications and hardening requirements.”

Via: ZDNet