{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/843464#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nThe SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands.\r\n\r\n### Description\r\nThe [SolarWinds Orion Platform](https://www.solarwinds.com/solutions/orion) is a suite of infrastructure and system monitoring and management products. The [SolarWinds Orion API](https://support.solarwinds.com/SuccessCenter/s/article/Support-for-Orion-SDK-and-other-API-related-tools) is embedded into the Orion Core and is used to interface with all SolarWinds Orion Platform products. API authentication can be bypassed by including specific parameters in the [`Request.PathInfo`](https://docs.microsoft.com/en-us/dotnet/api/system.web.httprequest.pathinfo?view=netframework-4.8) portion of a URI request, which could allow an attacker to execute unauthenticated API commands. In particular, if an attacker appends a `PathInfo` parameter of `WebResource.axd`, `ScriptResource.axd`, `i18n.ashx`, or `Skipi18n` to a request to a SolarWinds Orion server, SolarWinds may set the [SkipAuthorization](https://docs.microsoft.com/en-us/dotnet/api/system.web.httpcontext.skipauthorization) flag, which may allow the API request to be processed without requiring authentication.\r\n\r\nThis vulnerability, also known as CVE-2020-10148, is the vulnerability that SolarWinds has [indicated](https://www.solarwinds.com/securityadvisory#anchor2) to have been used to install the malware known as SUPERNOVA.\r\n\r\nWe have created a python3 script to check for vulnerable SolarWinds Orion servers: [swcheck.py](https://kb.cert.org/static-bigvince-prod-kb-eb/swcheck.py)\r\n\r\n### Impact\r\nThis vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.\r\n\r\n### Solution\r\n**Apply an Update**\r\n\r\nUsers should update to the relevant versions of the SolarWinds Orion Platform:\r\n\r\n* 2019.4 HF 6 (released December 14, 2020)\r\n* 2020.2.1 HF 2 (released December 15, 2020)\r\n* 2019.2 SUPERNOVA Patch (released December 23, 2020)\r\n* 2018.4 SUPERNOVA Patch (released December 23, 2020)\r\n* 2018.2 SUPERNOVA Patch (released December 23, 2020)\r\n\r\nMore information can be found in the [SolarWinds Security Advisory](https://www.solarwinds.com/securityadvisory#anchor2).\r\n\r\n**Harden the IIS Server**\r\n\r\nEspecially in cases when updates cannot be installed, we recommend that users implement [these mitigations](https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip) to harden the IIS server.\r\n\r\n### Acknowledgements\r\nThis document was written by Madison Oliver and Will Dormann.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/843464"},{"url":"https://www.solarwinds.com/securityadvisory","summary":"https://www.solarwinds.com/securityadvisory"},{"url":"https://cyber.dhs.gov/ed/21-01/","summary":"https://cyber.dhs.gov/ed/21-01/"},{"url":"https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software","summary":"https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software"},{"url":"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a","summary":"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a"},{"url":"https://github.com/solarwinds/OrionSDK/wiki","summary":"https://github.com/solarwinds/OrionSDK/wiki"},{"url":"https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip","summary":"https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip"},{"url":"https://www.solarwinds.com/securityadvisory/faq","summary":"Reference(s) from vendor \"SolarWinds\""},{"url":"https://www.solarwinds.com/securityadvisory","summary":"Reference(s) from vendor \"SolarWinds\""},{"url":"https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/","summary":"Reference(s) from vendor \"SolarWinds\""}],"title":"SolarWinds Orion API authentication bypass allows remote command execution","tracking":{"current_release_date":"2021-01-28T16:53:42+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#843464","initial_release_date":"2020-12-26 16:58:52.633047+00:00","revision_history":[{"date":"2021-01-28T16:53:42+00:00","number":"1.20210128165342.12","summary":"Released on 2021-01-28T16:53:42+00:00"}],"status":"final","version":"1.20210128165342.12"}},"vulnerabilities":[{"title":"The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands.","notes":[{"category":"summary","text":"The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands."}],"cve":"CVE-2020-10148","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#843464"}],"product_status":{"known_affected":["CSAFPID-e9197656-39db-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"SolarWinds","product":{"name":"SolarWinds Products","product_id":"CSAFPID-e9197656-39db-11f1-8422-122e2785dc9f"}}]}}