State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

UPDATE: Vulnerabilities in SolarWinds Orion Could Allow Remote Code Execution

MS-ISAC Advisory

Original Release Date: 12/28/2020

Summary

Multiple vulnerabilities have been discovered in SolarWinds Orion, the most severe of which could allow for arbitrary code execution. SolarWinds Orion is an IT performance monitoring platform that manages and optimizes IT infrastructure. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence

The Cybersecurity and Infrastructure Security Agency (CISA) released an alert detailing active exploitation of the SolarWinds Orion Platform software versions 2019.4 HF 5 through 2020.2 HF 1.

Systems Affected

  • SolarWinds Orion Platform versions 2019.4 HF 5 through 2020.2 HF 1
  • SolarWinds Orion Platform versions prior to 2019.4 HF 6
  • SolarWinds Orion Platform versions prior to 2020.2.1 HF 2
  • **UPDATE** SolarWinds Orion Platform Version 2019.4 HF 5
  • **UPDATE** SolarWinds Orion Platform Version 2020.2
  • **UPDATE** SolarWinds Orion Platform Version 2020.2 HF 1
  • **UPDATE** For CVE-2020-10148, SolarWinds Orion Platform versions 2019.2 HF 3, 2018.4 HF 3, and 2018.2 HF 6 are also affected. Security patches have been released for each of these versions specifically to address this new vulnerability.

Risk

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home Users: Low

Technical Details

Multiple Vulnerabilities have been discovered in SolarWinds Orion, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

  • A security vulnerability due to a define visual basic script (CVE-2020-14005)
  • An HTML injection vulnerability (CVE-2020-13169)

SolarWinds has released the second hotfix patch for versions 2020.2.1 HF 2. SolarWinds has also published a FAQ page that includes answers to several important questions including how to check your systems for compromise and information for workarounds if you are not able to upgrade your system to the latest patch level.

**UPDATE** SolarWinds Orion is prone to one vulnerability that could allow for authentication bypass. API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request, which could allow an attacker to execute unauthenticated API commands.  In particular, if an attacker appends a PathInfo parameter of WebResource.adx, ScriptResource.adx, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication, potentially resulting in a compromise of the SolarWinds instance.

Recommendations

We recommend the following actions be taken:

  • Apply appropriate updates provided by SolarWinds to vulnerable systems, immediately after appropriate testing.
  • Run all software as a non-privilege user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

**UPDATE** We recommend the following actions be taken:

  • Apply appropriate updates provided by SolarWinds to vulnerable systems, immediately after appropriate testing.
    • 2019.4 HF 5 Update To 2019.4 HF 6
    • 2020.2 (with no hotfix installed) & 2020.2 HF 1 > Update To 2020.2.1 HF 2
    • If you are running 2019.2 HF 3, 2018.4 HF 3, or 2018.2 HF 6 and do not wish to update completely to one of the above versions, apply the security patch released by SolarWinds to address CVE-2020-10148.
  • Run all software as a non-privilege user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

References

SolarWinds:

Carnegie Mellon University

CVE:

US-CERT

FireEye

GitHub:

Reporting

We encourages recipients who discover signs of malicious cyber activity to contact us via the cyber incident report form here.

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.