AttackerKBAKB:6F74854B-9C7C-4EFB-BBCF-3915CCE1CEA0CVE-2020-10148 SolarWinds Orion API authentication bypass and RCE
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.9%
The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.
Recent assessments:
dabdine at December 29, 2020 12:19am UTC reported:
This vulnerability was reported on 12/24, and was discovered after an investigation led to the identification of a web shell on an affected victim, claim sources. The βmalwareβ was named SUPERNOVA, and to install it, the actor used a 0day vulnerability on the SolarWinds API. More details are available at the SolarWinds website (or really, all over the internet): <https://www.solarwinds.com/securityadvisory>
As of writing, the CVE details are still reserved. CVSS v3.1 calculations vary between 9.5-10 (depending on how far into the environmental characteristics you dive, but most sites peg it at 9.8).
This gist on GitHub seems to demonstrate exploitability of the issue by dumping a password database using auth bypass + arbitrary file read:
<https://gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965>
ccondon-r7 at December 30, 2020 7:39pm UTC reported:
This vulnerability was reported on 12/24, and was discovered after an investigation led to the identification of a web shell on an affected victim, claim sources. The βmalwareβ was named SUPERNOVA, and to install it, the actor used a 0day vulnerability on the SolarWinds API. More details are available at the SolarWinds website (or really, all over the internet): <https://www.solarwinds.com/securityadvisory>
As of writing, the CVE details are still reserved. CVSS v3.1 calculations vary between 9.5-10 (depending on how far into the environmental characteristics you dive, but most sites peg it at 9.8).
This gist on GitHub seems to demonstrate exploitability of the issue by dumping a password database using auth bypass + arbitrary file read:
<https://gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965>
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.9%