SolarWinds updated the security advisory where they are tracking several critical security issues in their Orion platform with information following the release of CVE-2020-10148. CVE-2020-10148 identifies an unauthenticated, remote code execution weakness in the SolarWinds Orion API. This API is a central part of the Orion platform with highly privileged access to all Orion platform components. The SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands.
API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request, which could allow an attacker to execute unauthenticated API commands. In particular, if an attacker appends a PathInfo parameter of WebResource.adx, ScriptResource.adx, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication.
The CVE was reported as a zero-day and is being exploited in the wild. Rapid7 is tracking updates on the widespread attack campaign involving multiple issues in SolarWinds Orion here: https://blog.rapid7.com/2020/12/14/solarwinds-sunburst-backdoor-supply-chain-attack-what-you-need-to-know/
Guidance
Patches are available and as of 2020-12-24 organizations should be on one of the following versions to mitigate this weakness:
2019.4 HF 6 (released December 14, 2020)
2020.2.1 HF 2 (released December 15, 2020)
2019.2 SUPERNOVA Patch (released December 23, 2020)
2018.4 SUPERNOVA Patch (released December 23, 2020)
2018.2 SUPERNOVA Patch (released December 23, 2020)
References
- https://www.solarwinds.com/securityadvisory
- https://blog.rapid7.com/2020/12/14/solarwinds-sunburst-backdoor-supply-chain-attack-what-you-need-to-know/
- https://kb.cert.org/vuls/id/843464
