{"vuid":"VU#843464","idnumber":"843464","name":"SolarWinds Orion API authentication bypass allows remote command execution","keywords":null,"overview":"### Overview\r\nThe SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands.\r\n\r\n### Description\r\nThe [SolarWinds Orion Platform](https://www.solarwinds.com/solutions/orion) is a suite of infrastructure and system monitoring and management products. The [SolarWinds Orion API](https://support.solarwinds.com/SuccessCenter/s/article/Support-for-Orion-SDK-and-other-API-related-tools) is embedded into the Orion Core and is used to interface with all SolarWinds Orion Platform products. API authentication can be bypassed by including specific parameters in the [`Request.PathInfo`](https://docs.microsoft.com/en-us/dotnet/api/system.web.httprequest.pathinfo?view=netframework-4.8) portion of a URI request, which could allow an attacker to execute unauthenticated API commands. In particular, if an attacker appends a `PathInfo` parameter of `WebResource.axd`, `ScriptResource.axd`, `i18n.ashx`, or `Skipi18n` to a request to a SolarWinds Orion server, SolarWinds may set the [SkipAuthorization](https://docs.microsoft.com/en-us/dotnet/api/system.web.httpcontext.skipauthorization) flag, which may allow the API request to be processed without requiring authentication.\r\n\r\nThis vulnerability, also known as CVE-2020-10148, is the vulnerability that SolarWinds has [indicated](https://www.solarwinds.com/securityadvisory#anchor2) to have been used to install the malware known as SUPERNOVA.\r\n\r\nWe have created a python3 script to check for vulnerable SolarWinds Orion servers: [swcheck.py](https://kb.cert.org/static-bigvince-prod-kb-eb/swcheck.py)\r\n\r\n### Impact\r\nThis vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.\r\n\r\n### Solution\r\n**Apply an Update**\r\n\r\nUsers should update to the relevant versions of the SolarWinds Orion Platform:\r\n\r\n* 2019.4 HF 6 (released December 14, 2020)\r\n* 2020.2.1 HF 2 (released December 15, 2020)\r\n* 2019.2 SUPERNOVA Patch (released December 23, 2020)\r\n* 2018.4 SUPERNOVA Patch (released December 23, 2020)\r\n* 2018.2 SUPERNOVA Patch (released December 23, 2020)\r\n\r\nMore information can be found in the [SolarWinds Security Advisory](https://www.solarwinds.com/securityadvisory#anchor2).\r\n\r\n**Harden the IIS Server**\r\n\r\nEspecially in cases when updates cannot be installed, we recommend that users implement [these mitigations](https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip) to harden the IIS server.\r\n\r\n### Acknowledgements\r\nThis document was written by Madison Oliver and Will Dormann.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://www.solarwinds.com/securityadvisory","https://cyber.dhs.gov/ed/21-01/","https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software","https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a","https://github.com/solarwinds/OrionSDK/wiki","https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip"],"cveids":["CVE-2020-10148"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2020-12-26T16:58:52.765061Z","publicdate":"2020-12-26T16:58:52.633047Z","datefirstpublished":"2020-12-26T16:58:52.788352Z","dateupdated":"2021-01-28T16:53:42.522398Z","revision":12,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":35}