Executive Summary

Summary
Title SolarWinds Orion API authentication bypass allows remote command execution
Informations
Name VU#843464 First vendor Publication 2020-12-26
Vendor VU-CERT Last vendor Modification 2021-01-28
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 9.8
Base Score 9.8 Environmental Score 9.8
impact SubScore 5.9 Temporal Score 9.8
Exploitabality Sub Score 3.9
 
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Overview

The SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands.

Description

The SolarWinds Orion Platform is a suite of infrastructure and system monitoring and management products. The SolarWinds Orion API is embedded into the Orion Core and is used to interface with all SolarWinds Orion Platform products. API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request, which could allow an attacker to execute unauthenticated API commands. In particular, if an attacker appends a PathInfo parameter of WebResource.axd, ScriptResource.axd, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication.

This vulnerability, also known as CVE-2020-10148, is the vulnerability that SolarWinds has indicated to have been used to install the malware known as SUPERNOVA.

We have created a python3 script to check for vulnerable SolarWinds Orion servers: swcheck.py

Impact

This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.

Solution

Apply an Update

Users should update to the relevant versions of the SolarWinds Orion Platform:

  • 2019.4 HF 6 (released December 14, 2020)
  • 2020.2.1 HF 2 (released December 15, 2020)
  • 2019.2 SUPERNOVA Patch (released December 23, 2020)
  • 2018.4 SUPERNOVA Patch (released December 23, 2020)
  • 2018.2 SUPERNOVA Patch (released December 23, 2020)

More information can be found in the SolarWinds Security Advisory.

Harden the IIS Server

Especially in cases when updates cannot be installed, we recommend that users implement these mitigations to harden the IIS server.

Acknowledgements

This document was written by Madison Oliver and Will Dormann.

Original Source

Url : https://kb.cert.org/vuls/id/843464

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-287 Improper Authentication

Snort® IPS/IDS

Date Description
2021-02-18 SolarWinds Orion authentication bypass attempt
RuleID : 56917 - Revision : 1 - Type : SERVER-WEBAPP
2021-02-18 SolarWinds Orion authentication bypass attempt
RuleID : 56916 - Revision : 1 - Type : SERVER-WEBAPP
2021-02-02 SolarWinds Orion authentication bypass attempt
RuleID : 56829 - Revision : 1 - Type : SERVER-WEBAPP
2021-02-02 SolarWinds Orion authentication bypass attempt
RuleID : 56828 - Revision : 2 - Type : SERVER-WEBAPP
2021-02-02 SolarWinds Orion authentication bypass attempt
RuleID : 56827 - Revision : 2 - Type : SERVER-WEBAPP
2021-02-02 SolarWinds Orion authentication bypass attempt
RuleID : 56826 - Revision : 2 - Type : SERVER-WEBAPP
2021-02-02 SolarWinds Orion version lookup attempt
RuleID : 56825 - Revision : 1 - Type : POLICY-OTHER

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
Date Informations
2021-01-28 21:17:59
  • Multiple Updates
2021-01-15 00:17:32
  • Multiple Updates
2021-01-12 21:18:02
  • Multiple Updates
2021-01-12 00:17:35
  • Multiple Updates
2020-12-31 21:29:47
  • Multiple Updates
2020-12-29 21:17:59
  • Multiple Updates
2020-12-27 05:17:35
  • Multiple Updates
2020-12-26 21:17:58
  • First insertion