CVE-2020-10148 SolarWinds Orion API authentication bypass and RCE

The SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands.

This API is a central part of the Orion platform with highly privileged access to all Orion platform components. API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request, which could allow an attacker to execute unauthenticated API commands. In particular, if an attacker appends a PathInfo parameter of WebResource.adx, ScriptResource.adx, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication.

Patches are available and as of 2020-12-24 organizations should be on one of the following versions to mitigate this weakness:

• 2019.4 HF 6 (released December 14, 2020)

• 2020.2.1 HF 2 (released December 15, 2020)

• 2019.2 SUPERNOVA Patch (released December 23, 2020)

• 2018.4 SUPERNOVA Patch (released December 23, 2020)

• 2018.2 SUPERNOVA Patch (released December 23, 2020)

Please see the following resources for more information:
<https://www.kb.cert.org/vuls/id/843464&gt;
<https://www.solarwinds.com/securityadvisory#anchor2&gt;

Recent assessments:

dabdine at December 29, 2020 12:19am UTC reported:

This vulnerability was reported on 12/24, and was discovered after an investigation led to the identification of a web shell on an affected victim, claim sources. The “malware” was named SUPERNOVA, and to install it, the actor used a 0day vulnerability on the SolarWinds API. More details are available at the SolarWinds website (or really, all over the internet): <https://www.solarwinds.com/securityadvisory&gt;

As of writing, the CVE details are still reserved. CVSS v3.1 calculations vary between 9.5-10 (depending on how far into the environmental characteristics you dive, but most sites peg it at 9.8).

This gist on GitHub seems to demonstrate exploitability of the issue by dumping a password database using auth bypass + arbitrary file read:
<https://gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965&gt;

ccondon-r7 at December 30, 2020 7:39pm UTC reported:

This vulnerability was reported on 12/24, and was discovered after an investigation led to the identification of a web shell on an affected victim, claim sources. The “malware” was named SUPERNOVA, and to install it, the actor used a 0day vulnerability on the SolarWinds API. More details are available at the SolarWinds website (or really, all over the internet): <https://www.solarwinds.com/securityadvisory&gt;

As of writing, the CVE details are still reserved. CVSS v3.1 calculations vary between 9.5-10 (depending on how far into the environmental characteristics you dive, but most sites peg it at 9.8).

This gist on GitHub seems to demonstrate exploitability of the issue by dumping a password database using auth bypass + arbitrary file read:
<https://gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965&gt;

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5