Imperva Cyber Community

 View Only

Manual Mitigation for CVE-2020-10148: SolarWinds Orion API authentication bypass RCE

By Patrick Mccrudden posted 01-04-2021 15:01

  

Recently a new vulnerability was discovered related to SolarWinds Orion API.

 

Vulnerability description:

The SolarWinds Orion Platform is a suite of infrastructure and system monitoring and management products. The SolarWinds Orion API is embedded into the Orion Core and is used to interface with all SolarWinds Orion Platform products. API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request, which could allow an attacker to execute unauthenticated API commands. In particular, if an attacker appends a PathInfo parameter of WebResource.adx, ScriptResource.adx, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication.

(Clarification: Although the above description mention the “PathInfo parameter”, the vulnerability is in the URL.)

 

Full description is available at: https://kb.cert.org/vuls/id/843464

 

Cloud WAF customers and on-prem customers that have “SecureSphere Emergency Feed” (THR feeds) are already protected OOTB.

 

Below are manual mitigation steps to address CVE-2020-10148 (for on-prem customers):

 

  1. Create a new manual dictionary or use an existing one
  2. Create a new signature (inside the dictionary from the previous step) with the following definition:
  • Signature name:

          CVE-2020-10148: SolarWinds Orion API authentication bypass RCE

  • Signature pattern:

          part="i18n.ashx", rgxp="^(?:(?!((orion|webengine).*\.css\.|\.js\.)).)*\.?i18n\.ashx$"

  • Protocols:
    http
    https
  • Search Signature in:

          Url

     3. Create a new “HTTP Protocol Signatures” policy that uses the dictionary from step 1 and apply it


#CloudWAF(formerlyIncapsula)
#On-PremisesWAF(formerlySecuresphere)
0 comments
2423 views

Permalink