Very High
CVE-2020-10148 SolarWinds Orion API authentication bypass and RCE
CVE-2020-10148 SolarWinds Orion API authentication bypass and RCE
Description
The SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands.
This API is a central part of the Orion platform with highly privileged access to all Orion platform components. API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request, which could allow an attacker to execute unauthenticated API commands. In particular, if an attacker appends a PathInfo parameter of WebResource.adx, ScriptResource.adx, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication.
Patches are available and as of 2020-12-24 organizations should be on one of the following versions to mitigate this weakness:
- 2019.4 HF 6 (released December 14, 2020)
- 2020.2.1 HF 2 (released December 15, 2020)
- 2019.2 SUPERNOVA Patch (released December 23, 2020)
- 2018.4 SUPERNOVA Patch (released December 23, 2020)
- 2018.2 SUPERNOVA Patch (released December 23, 2020)
Please see the following resources for more information:
https://www.kb.cert.org/vuls/id/843464
https://www.solarwinds.com/securityadvisory#anchor2
Add Assessment
Technical Analysis
This vulnerability was reported on 12/24, and was discovered after an investigation led to the identification of a web shell on an affected victim, claim sources. The “malware” was named SUPERNOVA, and to install it, the actor used a 0day vulnerability on the SolarWinds API. More details are available at the SolarWinds website (or really, all over the internet): https://www.solarwinds.com/securityadvisory
As of writing, the CVE details are still reserved. CVSS v3.1 calculations vary between 9.5-10 (depending on how far into the environmental characteristics you dive, but most sites peg it at 9.8).
This gist on GitHub seems to demonstrate exploitability of the issue by dumping a password database using auth bypass + arbitrary file read:
https://gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965
Technical Analysis
It looks like CISA updated their guidance for U.S. federal agencies last night and told them to update to SolarWinds Orion 2020.2.1 HF2 within 48 hours (“by the end of the year”) or take Orion systems offline. It’s warranted, especially since there may be other issues in the Orion code base that have yet to be discovered or disclosed. Organizations that come into the new year still on affected versions of Orion would be well-advised to consider conducting incident response investigations to determine whether they have been compromised.
The SolarWinds advisory as of December 30, 2020 doesn’t explicitly say this CVE was the vulnerability that allowed for installation of the SUPERNOVA malware, though they implicitly make the link by calling the patch that resolves CVE-2020-10148 the “SUPERNOVA patch.” Maybe I’m picking at nits there since everyone else in the world seems to have linked the two unequivocally! In any event, this CVE is an active threat and folks who haven’t updated to SolarWinds Orion 2019.4 HF6 or 2020.2.1 HF2 should do so immediately and look for indicators of compromise and suspicious activity.
Edit: Keeping an eye on this thread tracking mass scanning for hosts vulnerable to CVE-2020-10148 too: https://twitter.com/bad_packets/status/1344008582019203072
Interesting, Will Dormann from CERT has similarly said that there has been no clear confirmation of whether CVE-2020-10148 or a totally different vulnerability allows for SUPERNOVA installation/Orion server compromise (tweet from January 8, 2020): https://twitter.com/wdormann/status/1347690102638735361
That’s a good distinction to keep making—I suppose I should revise my statement that “everyone else in the world seems to have linked the two unequivocally” since there are at least a couple of folks who haven’t!
The upshot for defenders, unfortunately, is that there may be more SolarWinds Orion vulnerability news to come. I do hope the company is clear and fast about disclosing further facts as their investigations confirm them. Delaying and obscuring here would be absolutely no help at all.
CVSS V3 Severity and Metrics
General Information
Vendors
- SolarWinds
Products
- Orion Platform
Exploited in the Wild
Technical Analysis
SolarWinds updated the security advisory where they are tracking several critical security issues in their Orion platform with information following the release of CVE-2020-10148. CVE-2020-10148 identifies an unauthenticated, remote code execution weakness in the SolarWinds Orion API. This API is a central part of the Orion platform with highly privileged access to all Orion platform components. The SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands.
API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request, which could allow an attacker to execute unauthenticated API commands. In particular, if an attacker appends a PathInfo parameter of WebResource.adx, ScriptResource.adx, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication.
The CVE was reported as a zero-day and is being exploited in the wild. Rapid7 is tracking updates on the widespread attack campaign involving multiple issues in SolarWinds Orion here: https://blog.rapid7.com/2020/12/14/solarwinds-sunburst-backdoor-supply-chain-attack-what-you-need-to-know/
Guidance
Patches are available and as of 2020-12-24 organizations should be on one of the following versions to mitigate this weakness:
2019.4 HF 6 (released December 14, 2020)
2020.2.1 HF 2 (released December 15, 2020)
2019.2 SUPERNOVA Patch (released December 23, 2020)
2018.4 SUPERNOVA Patch (released December 23, 2020)
2018.2 SUPERNOVA Patch (released December 23, 2020)
