Multiple Vulnerabilities in SolarWinds Orion Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2020-166 - UPDATED
Date(s) Issued: 
Monday, December 14, 2020
Date Updated: 
Monday, December 28, 2020
Subject: 
Multiple Vulnerabilities in SolarWinds Orion Could Allow for Arbitrary Code Execution
Overview: 

Multiple Vulnerabilities have been discovered in SolarWinds Orion, the most severe of which could allow for arbitrary code execution. SolarWinds Orion is an IT performance monitoring platform that manages and optimizes IT infrastructure. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

 

ORIGINAL THREAT INTELLIGENCE:

The Cybersecurity and Infrastructure Security Agency (CISA) released an alert detailing active exploitation of the SolarWinds Orion Platform software versions 2019.4 HF 5 through 2020.2.1 HF 1.

December 17 - UPDATED THREAT INTELLIGENCE:

The Cybersecurity and Infrastructure Security Agency (CISA) released an alert detailing active exploitation of the SolarWinds Orion Platform software versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 .

 

Systems Affected: 
  • SolarWinds Orion Platform versions 2019.4 through 2020.2.1 HF 1

December 16 - UPDATED SYSTEMS AFFECTED:

  • SolarWinds Orion Platform versions prior to 2019.4 HF 6

  • SolarWinds Orion Platform versions prior to 2020.2.1 HF 2

December 17 - UPDATED SYSTEMS AFFECTED:

  • SolarWinds Orion Platform Version 2019.4 HF5

  • SolarWinds Orion Platform Version 2020.2

  • SolarWinds Orion Platform Version 2020.2 HF1

December 28 - UPDATED SYSTEMS AFFECTED:

For CVE-2020-10148, SolarWinds Orion Platform versions 2019.2 HF 3, 2018.4 HF 3, and 2018.2 HF 6 are also affected. Security patches have been released for each of these versions specifically to address this new vulnerability.

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

Multiple Vulnerabilities have been discovered in SolarWinds Orion, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows: 

  • A security vulnerability due to a define visual basic script (CVE-2020-14005)
  • An HTML injection vulnerability (CVE-2020-13169) 

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

December 16 - UPDATED DESCRIPTION:

SolarWinds has released the second hotfix patch for versions 2020.2.1 HF 2. SolarWinds has also published a FAQ page that includes answers to several important questions including how to check your systems for compromise and information for work arounds if you are not able to upgrade your system to the latest patch level. The FAQ can be found at the link in the reference section below.

December 28 - UPDATED DESCRIPTION:

SolarWinds Orion is prone to one vulnerability that could allow for authentication bypass. API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request, which could allow an attacker to execute unauthenticated API commands.  In particular, if an attacker appends a PathInfo parameter of WebResource.adx, ScriptResource.adx, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication, potentially resulting in a compromise of the SolarWinds instance.

Actions: 
  • After appropriate testing, immediately install the updates provided by SolarWinds to vulnerable systems.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

  • Apply the Principle of Least Privilege to all systems and services.

December 17 - UPDATED ACTIONS:

  • 2019.4 HF5 Update To 2019.4 HF6

  • 2020.2 (with no hotfix installed) & 2020.2 HF 1 > Update To 2020.2.1 HF2

December 28 - UPDATED ACTIONS:

  • After appropriate testing, immediately install the updates provided by SolarWinds to vulnerable systems.
    • 2019.4 HF 5 Update To 2019.4 HF 6
    • 2020.2 (with no hotfix installed) & 2020.2 HF 1 > Update To 2020.2.1 HF 2
    • If you are running 2019.2 HF 3, 2018.4 HF 3, or 2018.2 HF 6 and do not wish to update completely to one of the above versions, apply the security patch released by SolarWinds to address CVE-2020-10148.
  • Run all software as a non-privilege user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.