Recent as of December 16, 2020, 6:00pm EST – Initial Statement

RSA has been made aware of a vulnerability within the SolarWinds® Orion® Platform software and the association of this vulnerability to the recently announced FireEye® “Red Team” offensive security toolset disclosure. The intent of this document is to keep RSA Customer’s informed of RSA’s response to the developing situation.

This page will be updated with relevant information, action and FAQs, as RSA receives such detail. Please check back here regularly for more information or direct concerns to your RSA Account Manager and/or RSA Customer Support representative.

At this point, our investigation has determined that RSA products do not use the SolarWinds Orion software affected by the SUNBURST vulnerability announced on December 13th, 2020. RSA will continue coordinating with SolarWinds and our vendors on implementing any appropriate countermeasures and monitoring for appropriate indicators.

Summary of RSA’s Actions – Updated December 16, 2020, 6:00pm EST

On December 8th, 2020, FireEye announced that its custom “Red Team” offensive security toolsets had been obtained by an external advisory. Based on the disclosure, FireEye issued countermeasures which would identify if the toolset was in use to the public.

In response, RSA has taken action to ensure the indicators are included in our monitoring toolsets and processes for our corporate and customer SaaS environments. RSA will continue to regularly update these countermeasures based on FireEye’s guidance.

On December 13th, 2020 SolarWinds disclosed a backdoor vulnerability via SolarWinds.Orion.Core.Business.Layer.dll for SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 per their advisory. This vulnerability has been nicknamed SUNBURST.

In response, RSA performed the following actions:

• RSA assessed the environments using publicly disclosed IOCs, FireEye SUNBURST countermeasures and confirmed on-going monitoring processes are in place.
• Any systems running SolarWinds Orion Platform software were isolated on the network.
• Reaffirmed the RSA Network and Endpoint detection capabilities were implemented and verified.
• RSA engaged SolarWinds representatives to isolate impacted versions of SolarWinds Orion Platform that are affected by the SUNBURST vulnerability to proactively determine impact, if any.
• RSA contacted third-party service providers (SP)s requesting their response to usage of affected software.

FAQs related to our response

Q: Does RSA use SolarWinds’ Orion software? If yes, have you identified any use of Solar Winds Orion vulnerable products (version 2019.4 HF5 – 2020.2 HF1)?

A: Based on our investigations, RSA has not utilized any of the known vulnerable versions of SolarWinds Orion. RSA Security does utilize SolarWinds’ products in some of its Product Line environments. At this time, we have confirmed the following:

• The following products use SolarWinds Orion; however, they have never run an impacted version of the platform (i.e., a version affected by the SUNBURST vulnerability). Instead, the version currently in use is 2020.2.1 HF1.
  • RSA Adaptive Authentication Cloud
  • RSA Adaptive Authentication for eCommerce
• Product Lines that do not utilize SolarWinds Orion products:
  • RSA NetWitness Platform
  • RSA SecurID Access
  • Archer SaaS & Hosted

Q: What are you plans and timelines for remediating the vulnerability on systems running SolarWinds Orion? Do you plan to upgrade to Orion 2020.2.1 HF1 (HF2 when available)? What is the target date for remediation?

A: RSA Security is already utilizing a non-vulnerable version of Orion, 2020.2.1 HF1. Plans for 2020.2.2 HF2 are under review but we do not have a target date at this time. We will share an updated timeline here if and as it becomes available.

Q: Do any of your connected Third Parties and/or Service Providers (SP) utilize the impacted versions of SolarWinds’ Orion software in connected networks that supports products and/or services?

A: RSA Security is actively confirming with our vendors but at this point we have not received notice of usage of the vulnerable versions of SolarWinds’ Orion software.

Q: What steps have you taken to scan, isolate and eradicate the potential malware resulting from Orion updates?

A: RSA Security has performed the following actions:

• Scanned environments for all SolarWinds devices with particular scrutiny given to systems running SolarWinds Orion Platform software.
• Implemented detection capabilities at the network and node level within the environment.
• Isolated systems running SolarWinds Orion Platform software while internal investigation is ongoing.

Q: Have you reviewed your environments for the Common Vulnerability Exposures (CVE)s that are utilized within the FireEye toolsets? If yes, what is the status of remediation of those vulnerabilities?

A: This investigation is currently under review.