9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.973 High
EPSS
Percentile
99.8%
The SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands.
This API is a central part of the Orion platform with highly privileged access to all Orion platform components. API authentication can be bypassed by including specific parameters in the Request.PathInfo
portion of a URI request, which could allow an attacker to execute unauthenticated API commands. In particular, if an attacker appends a PathInfo
parameter of WebResource.adx, ScriptResource.adx, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization
flag, which may allow the API request to be processed without requiring authentication.
Patches are available and as of 2020-12-24 organizations should be on one of the following versions to mitigate this weakness:
2019.4 HF 6 (released December 14, 2020)
2020.2.1 HF 2 (released December 15, 2020)
2019.2 SUPERNOVA Patch (released December 23, 2020)
2018.4 SUPERNOVA Patch (released December 23, 2020)
2018.2 SUPERNOVA Patch (released December 23, 2020)
Please see the following resources for more information:
<https://www.kb.cert.org/vuls/id/843464>
<https://www.solarwinds.com/securityadvisory#anchor2>
Recent assessments:
dabdine at December 29, 2020 12:19am UTC reported:
This vulnerability was reported on 12/24, and was discovered after an investigation led to the identification of a web shell on an affected victim, claim sources. The βmalwareβ was named SUPERNOVA, and to install it, the actor used a 0day vulnerability on the SolarWinds API. More details are available at the SolarWinds website (or really, all over the internet): <https://www.solarwinds.com/securityadvisory>
As of writing, the CVE details are still reserved. CVSS v3.1 calculations vary between 9.5-10 (depending on how far into the environmental characteristics you dive, but most sites peg it at 9.8).
This gist on GitHub seems to demonstrate exploitability of the issue by dumping a password database using auth bypass + arbitrary file read:
<https://gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965>
ccondon-r7 at December 30, 2020 7:39pm UTC reported:
This vulnerability was reported on 12/24, and was discovered after an investigation led to the identification of a web shell on an affected victim, claim sources. The βmalwareβ was named SUPERNOVA, and to install it, the actor used a 0day vulnerability on the SolarWinds API. More details are available at the SolarWinds website (or really, all over the internet): <https://www.solarwinds.com/securityadvisory>
As of writing, the CVE details are still reserved. CVSS v3.1 calculations vary between 9.5-10 (depending on how far into the environmental characteristics you dive, but most sites peg it at 9.8).
This gist on GitHub seems to demonstrate exploitability of the issue by dumping a password database using auth bypass + arbitrary file read:
<https://gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965>
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.973 High
EPSS
Percentile
99.8%