An authentication bypass vulnerability in the SolarWinds Orion software may have been leveraged by adversaries as a zero-day to deploy the SUPERNOVA malware in target environments.
According to an advisory published yesterday by the CERT Coordination Centre, the SolarWinds Orion API that’s used to interface with all other Orion system monitoring and management products suffers from a security flaw (CVE-2020-10148) that could allow a remote attacker to execute unauthenticated API commands, thus resulting in a compromise of the SolarWinds instance.
“The authentication of the API can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request to the API, which could allow an attacker to execute unauthenticated API commands,” the advisory states.
“In particular, if an attacker appends a PathInfo parameter of ‘WebResource.adx,’ ‘ScriptResource.adx,’ ‘i18n.ashx,’ or ‘Skipi18n’ to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication.”
It’s worth noting that SolarWinds’ updated security advisory on December 24 made note of an unspecified vulnerability in the Orion Platform that could be exploited to deploy rogue software such as SUPERNOVA. But exact details of the flaw remained unclear until now.
images from Hacker News