# SolarWinds Orion API authentication bypass allows remote command execution

**kb.cert.org/vuls/id/843464**

## Overview

The SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote
attacker to execute API commands.

## Description

The [SolarWinds Orion Platform is a suite of infrastructure and system monitoring and](https://www.solarwinds.com/solutions/orion)
[management products. The SolarWinds Orion API is embedded into the Orion Core and is](https://support.solarwinds.com/SuccessCenter/s/article/Support-for-Orion-SDK-and-other-API-related-tools)
used to interface with all SolarWinds Orion Platform products. API authentication can be
[bypassed by including specific parameters in the Request.PathInfo portion of a URI](https://docs.microsoft.com/en-us/dotnet/api/system.web.httprequest.pathinfo?view=netframework-4.8)
request, which could allow an attacker to execute unauthenticated API commands. In
particular, if an attacker appends a `PathInfo parameter of` `WebResource.axd,`
```
ScriptResource.axd, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion

```
[server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to](https://docs.microsoft.com/en-us/dotnet/api/system.web.httpcontext.skipauthorization)
be processed without requiring authentication.

This vulnerability, also known as CVE-2020-10148, is the vulnerability that SolarWinds has
[indicated to have been used to install the malware known as SUPERNOVA.](https://www.solarwinds.com/securityadvisory#anchor2)

We have created a python3 script to check for vulnerable SolarWinds Orion servers:
[swcheck.py](https://kb.cert.org/static-bigvince-prod-kb-eb/swcheck.py)

## Impact

This vulnerability could allow a remote attacker to bypass authentication and execute API
commands which may result in a compromise of the SolarWinds instance.

## Solution

**Apply an Update**

Users should update to the relevant versions of the SolarWinds Orion Platform:

2019.4 HF 6 (released December 14, 2020)
2020.2.1 HF 2 (released December 15, 2020)
2019.2 SUPERNOVA Patch (released December 23, 2020)
2018.4 SUPERNOVA Patch (released December 23, 2020)
2018.2 SUPERNOVA Patch (released December 23, 2020)


-----

[More information can be found in the SolarWinds Security Advisory.](https://www.solarwinds.com/securityadvisory#anchor2)

**Harden the IIS Server**

Especially in cases when updates cannot be installed, we recommend that users implement
[these mitigations to harden the IIS server.](https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip)

## Acknowledgements

This document was written by Madison Oliver and Will Dormann.

## Vendor Information

843464

Expand all

## SolarWinds Affected

Notified: 2020-12-10 Updated: 2021-01-11

**CVE-2020-10148** Affected

**Vendor Statement**

We have not received a statement from the vendor.

**References**

## References

 Other Information

**CVE IDs:** [CVE-2020-10148](http://web.nvd.nist.gov/vuln/detail/CVE-2020-10148)

**Date Public:** 2020-12-26

**Date First Published:** 2020-12-26

**Date Last Updated:** 2021-01-28 16:53 UTC

**Document Revision:** 12


-----