Advisories

CERT-In Advisory CIAD-2020-0088

Remote API Command Execution Vulnerability in SolarWinds Orion Platform (SUPERNOVA)

Original Issue Date: December 31, 2020

Severity Rating: High

Systems Affected

SolarWinds Orion Platform versions 2019.4 HF 5 and 2020.2 with no hotfix or with 2020.2 HF 1, including:

Application Centric Monitor (ACM)
Database Performance Analyzer Integration Module (DPAIM)
Enterprise Operations Console (EOC)
High Availability (HA)
IP Address Manager (IPAM)
Log Analyzer (LA)
Network Automation Manager (NAM)
Network Configuration Manager (NCM)
Network Operations Manager (NOM)
Network Performance Monitor (NPM)
NetFlow Traffic Analyzer (NTA)
Server & Application Monitor (SAM)
Server Configuration Monitor (SCM)
Storage Resource Monitor (SCM)
User Device Tracker (UDT)
Virtualization Manager (VMAN)
VoIP & Network Quality Manager (VNQM)
Web Performance Monitor (WPM)

Overview

A vulnerability has been reported on the SolarWinds' Orion IT monitoring and management software, which could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.

Description

This vulnerability exists due to an error while processing authentication requests within the SolarWinds Orion API. An unauthenticated, remote attacker could exploit this vulnerability by creating specially crafted parameters within the "Request.PathInfo" URI component and setting the "SkipAuthentication" flag.

Successful exploitation of this vulnerability allow the attacker to bypass authentication and execute API commands which may result in compromise of the SolarWinds instance.

Note: It is reported that this vulnerability is being exploited in the wild.

Solution

Organisations are recommended to apply updates to the latest versions of the SolarWinds Orion Platform mentioned in the SolarWinds Security Advisory:

2019.4 HF 6
2020.2.1 HF 2
2019.2 SUPERNOVA Patch
2018.4 SUPERNOVA Patch
2018.2 SUPERNOVA Patch

Users who have already upgraded to 2020.2.1 HF 2 or 2019.4 HF 6 versions, no further action is required.

Affected users who are unable to install the security updates immediately are advised to temporarily protect their environment by applying mitigating measures recommended by SolarWinds Supernova Mitigation.

Recommendations

Organisations are strongly advised to take additional measure like:

Orion Platform versions 2019.4 HF6 and 2020.2.1 HF2 were designed to protect from both SUNBURST and SUPERNOVA
All active maintenance customers of Orion Platform products, except those customers already on Orion Platform versions 2019.4 HF 6 or 2020.2.1 HF 2, apply the latest updates related to the version of the product they have deployed, as soon as possible.These updates contain security enhancements including those designed to protect you from SUNBURST and SUPERNOVA.
Analyze all configuration for network devices managed by the Orion platform for alteration.
Run up to date antivirus or EDR products that detect compromised SolarWinds libraries and potentially anomalous process behaviour by these binaries.
Consider disabling SolarWinds in your environment entirely until you are confident that you have a trustworthy build free of injected code.
Block all traffic to and from hosts where any version of SolarWinds Orion software has been installed.
Identify and remove threat-actor controlled accounts and persistence mechanisms.
Reset all credentials used by SolarWinds software and implement a rotation policy for these accounts.
Affected organizations should determine the need to change credentials on all devices being managed by the affected SolarWinds platform. This includes:

User credentials
SNMP community strings
IKE pre-shared keys
Shared secrets for TACACS, TACACS+ and RADIUS
Secrets for BGP, OSPF, EIGRP or other routing protocols
Exportable RSA keys and certificates for SSH or other protocols

Organisations should consider the impacts and applicability of these steps on their specific network operations prior to implementing these mitigations.

Vendor Information

https://customerportal.solarwinds.com/ (login required)

References

SolarWinds
https://www.solarwinds.com/securityadvisory
https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/core-secure-configuration.htm
https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip

US CERT
https://kb.cert.org/vuls/id/843464
https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software

Palo Alto Networks
https://unit42.paloaltonetworks.com/solarstorm-supernova/

Microsoft
https://techcommunity.microsoft.com/t5/microsoft-security-and/detecting-ldap-based-kerberoasting-with-azure-atp/ba-p/462448
https://www.microsoft.com/security/blog/2020/12/15/ensuring-customers-are-protected-from-solorigate/
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

CVE Name
CVE-2020-10148

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India