Every week, our global community of hand-picked Detectify Crowdsource ethical hackers submit new vulnerabilities that we make available to our users as automated security tests. In the new series Vuln of the Month, we deep-dive into an especially interesting vulnerability that was added to our scanner in the past month. First up: CVE-2020-10148, SolarWinds Orion Authentication Bypass.
In January, Detectify added a security test for CVE-2020-10148, SolarWinds Orion Authentication Bypass. This critical zero-day vulnerability was used by attackers to deliver malware, dubbed Supernova, to take control of affected systems in the recent major attack on software provider SolarWinds.
SolarWinds’ Orion system provides centralized monitoring across an organization’s entire IT stack. According to SEC documents, Orion is used by 33,000 customers, among them US government agencies and major private corporations. The vulnerability, submitted by one of the ethical hackers in our Detectify Crowdsource network, could allow an attacker to bypass authentication and execute API commands, which could result in a compromise of the SolarWinds instance.
How this vulnerability can be exploited
API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request, which could allow an attacker to execute unauthenticated API commands. In particular, if an attacker appends a PathInfo parameter of WebResource.axd, ScriptResource.axd, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication.
How can Detectify help?
If you are running SolarWinds Orion, Detectify will scan your application for CVE-2020-10148 SolarWinds Orion Authentication Bypass and alert you if it is detected.
Find vulnerabilities that you thought were fixed and more with Detectify. Begin a free 2-week trial and go hack yourself.
Already have an account? Login to check your assets.