Severity Rating: High
Systems Affected
SolarWinds Orion Platform versions 2019.4 HF 5 and 2020.2 with no hotfix or
with 2020.2 HF 1, including:
Application Centric Monitor (ACM)
Database Performance Analyzer Integration Module (DPAIM)
Enterprise Operations Console (EOC)
High Availability (HA)
IP Address Manager (IPAM)
Log Analyzer (LA)
Network Automation Manager (NAM)
Network Configuration Manager (NCM)
Network Operations Manager (NOM)
Network Performance Monitor (NPM)
NetFlow Traffic Analyzer (NTA)
Server & Application Monitor (SAM)
Server Configuration Monitor (SCM)
Storage Resource Monitor (SCM)
User Device Tracker (UDT)
Virtualization Manager (VMAN)
VoIP & Network Quality Manager (VNQM)
Web Performance Monitor (WPM)
Overview
A vulnerability has been reported on the SolarWinds' Orion IT monitoring
and management software, which could allow a remote attacker to bypass
authentication and execute API commands which may result in a compromise of
the SolarWinds instance.
Description
This vulnerability exists due to an error while processing authentication
requests within the SolarWinds Orion API. An unauthenticated, remote
attacker could exploit this vulnerability by creating specially crafted
parameters within the "Request.PathInfo" URI component and setting the
"SkipAuthentication" flag.
Successful exploitation of this vulnerability allow the attacker to bypass
authentication and execute API commands which may result in compromise of
the SolarWinds instance.
Note: It is reported that this vulnerability is being exploited in the
wild.
Solution
Organisations are recommended to apply updates to the latest versions of
the SolarWinds Orion Platform mentioned in the SolarWinds Security
Advisory:
2019.4 HF 6
2020.2.1 HF 2
2019.2 SUPERNOVA Patch
2018.4 SUPERNOVA Patch
2018.2 SUPERNOVA Patch
Users who have already upgraded to 2020.2.1 HF 2 or 2019.4 HF 6 versions,
no further action is required.
Affected users who are unable to install the security updates immediately
are advised to temporarily protect their environment by applying mitigating
measures recommended by SolarWinds Supernova Mitigation.
Recommendations
Organisations are strongly advised to take additional measure like:
Orion Platform versions 2019.4 HF6 and 2020.2.1 HF2 were designed to
protect from both SUNBURST and SUPERNOVA
All active maintenance customers of Orion Platform products, except those
customers already on Orion Platform versions 2019.4 HF 6 or 2020.2.1 HF 2,
apply the latest updates related to the version of the product they have
deployed, as soon as possible.These updates contain security enhancements
including those designed to protect you from SUNBURST and SUPERNOVA.
Analyze all configuration for network devices managed by the Orion platform
for alteration.
Run up to date antivirus or EDR products that detect compromised SolarWinds
libraries and potentially anomalous process behaviour by these binaries.
Consider disabling SolarWinds in your environment entirely until you are
confident that you have a trustworthy build free of injected code.
Block all traffic to and from hosts where any version of SolarWinds Orion
software has been installed.
Identify and remove threat-actor controlled accounts and persistence
mechanisms.
Reset all credentials used by SolarWinds software and implement a rotation
policy for these accounts.
Affected organizations should determine the need to change credentials on
all devices being managed by the affected SolarWinds platform. This
includes:
User credentials
SNMP community strings
IKE pre-shared keys§
Shared secrets for TACACS, TACACS+ and RADIUS
Secrets for BGP, OSPF, EIGRP or other routing protocols
Exportable RSA keys and certificates for SSH or other protocols
Organisations should consider the impacts and applicability of these steps
on their specific network operations prior to implementing these
mitigations.
Vendor Information
https://customerportal.solarwinds.com/ (login required)
References
SolarWinds
t/core-secure-configuration.htm
US CERT
on-solarwinds-software
Palo Alto Networks
Microsoft
p-based-kerberoasting-with-azure-atp/ba-p/462448
rotected-from-solorigate/
on-state-cyber-attacks/
CVE Name
CVE-2020-10148
About Cert Advisory
We have created this blog to provide latest security advisory from the india cert for the security vulnerability, threats, attacks and patching required to mitigate any kind of cyber attacks.