The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its official guidance for dealing with the fallout from the SolarWinds supply chain attack.
The update posted by CISA, instructs all US government agencies that still run SolarWinds Orion platforms to update to the latest 2020.2.1HF2 version by the end of the year. Agencies unable to update by that deadline will have to take all Orion systems offline.
The guidance update comes after security researchers uncovered a new major vulnerability – CVE-2020-10148 – in the SolarWinds Orion app over the Christmas holiday. The vulnerability is an authentication bypass in the Orion API that lets attackers execute remote code on Orion installations.
To Read More: ZDNet