Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
16

CVE-2020-10148 SolarWinds Orion API authentication bypass and RCE

Disclosure Date: December 29, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated
Initial Access
Techniques
Validation
Validated
Validated

Description

The SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands.

This API is a central part of the Orion platform with highly privileged access to all Orion platform components. API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request, which could allow an attacker to execute unauthenticated API commands. In particular, if an attacker appends a PathInfo parameter of WebResource.adx, ScriptResource.adx, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication.

Patches are available and as of 2020-12-24 organizations should be on one of the following versions to mitigate this weakness:

  • 2019.4 HF 6 (released December 14, 2020)
  • 2020.2.1 HF 2 (released December 15, 2020)
  • 2019.2 SUPERNOVA Patch (released December 23, 2020)
  • 2018.4 SUPERNOVA Patch (released December 23, 2020)
  • 2018.2 SUPERNOVA Patch (released December 23, 2020)

Please see the following resources for more information:
https://www.kb.cert.org/vuls/id/843464
https://www.solarwinds.com/securityadvisory#anchor2

Add Assessment

5
Ratings
Technical Analysis

This vulnerability was reported on 12/24, and was discovered after an investigation led to the identification of a web shell on an affected victim, claim sources. The “malware” was named SUPERNOVA, and to install it, the actor used a 0day vulnerability on the SolarWinds API. More details are available at the SolarWinds website (or really, all over the internet): https://www.solarwinds.com/securityadvisory

As of writing, the CVE details are still reserved. CVSS v3.1 calculations vary between 9.5-10 (depending on how far into the environmental characteristics you dive, but most sites peg it at 9.8).

This gist on GitHub seems to demonstrate exploitability of the issue by dumping a password database using auth bypass + arbitrary file read:
https://gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • SolarWinds

Products

  • Orion Platform

Exploited in the Wild

Reported by:
Reported: December 29, 2020 12:11am UTC (6 months ago)

Additional Info

Technical Analysis

SolarWinds updated the security advisory where they are tracking several critical security issues in their Orion platform with information following the release of CVE-2020-10148. CVE-2020-10148 identifies an unauthenticated, remote code execution weakness in the SolarWinds Orion API. This API is a central part of the Orion platform with highly privileged access to all Orion platform components. The SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands.

API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request, which could allow an attacker to execute unauthenticated API commands. In particular, if an attacker appends a PathInfo parameter of WebResource.adx, ScriptResource.adx, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication.

The CVE was reported as a zero-day and is being exploited in the wild. Rapid7 is tracking updates on the widespread attack campaign involving multiple issues in SolarWinds Orion here: https://blog.rapid7.com/2020/12/14/solarwinds-sunburst-backdoor-supply-chain-attack-what-you-need-to-know/

Guidance

Patches are available and as of 2020-12-24 organizations should be on one of the following versions to mitigate this weakness:

2019.4 HF 6 (released December 14, 2020)
2020.2.1 HF 2 (released December 15, 2020)
2019.2 SUPERNOVA Patch (released December 23, 2020)
2018.4 SUPERNOVA Patch (released December 23, 2020)
2018.2 SUPERNOVA Patch (released December 23, 2020)

References