SolarWinds has released an advisory on 27th December 2020 to address the vulnerability being exploited by SUPERNOVA malware. The vulnerability resides in the SolarWinds Orion API, making it vulnerable to an authentication bypass that can further lead to remote code execution. The vulnerability has been assigned as CVE-2020-10148. This can be used to deploy SUPERNOVA malware on the target environment. Hence, we require a vulnerability management tool to detect vulnerabilities.
Supernova Malware (CVE-2020-10148) details
Uses the SolarWinds Orion API to interface with all SolarWinds Orion Platform products. API authentication can bypass by including specific parameters in the Request.PathInfo portion of the URI request, which could allow an attacker to execute unauthenticated API commands. Moreover, if an attacker appends a PathInfoparameter of WebResource.adx, ScriptResource.adx, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the Skip Authorization flag, which then allows the API request process without requiring authentication. However, a patch management solution is essential here.
SUPERNOVA
SUPERNOVA is written in .NET and specifically made for usage on SolarWinds Orion servers. However, it deploys as a DLL module. Moreover, it consists of two components – one being an unsigned webshell.dll and the other for exploiting the vulnerability present in the Orion platform to enable the deployment of malware.
Impact of Supernova Malware
In addition, the vulnerability could allow remote attackers to bypass authentication and execute remote code, which would result in a compromise of the SolarWinds instance.
Affected platforms
The vulnerability resides in the Orion API. Hence it affects several products. These include Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed or with 2020.2 HF 1 including:
Application Centric Monitor
Database Performance Analyzer Integration Module
Enterprise Operations Console
High Availability
IP Address Manager
Log Analyzer
Network Automation Manager
Network Configuration Manager
Network Operations Manager
User Device Tracker
Network Performance Monitor
NetFlow Traffic Analyzer
Server & Application Monitor
Server Configuration Monitor
Storage Resource Monitor
Virtualization Manager
VoIP & Network Quality Manager
Web Performance Monitor (WPM)
Solution
Solarwinds has issued patches for fixing the vulnerability. SanerNow detects the vulnerability (CVE-2020-10148).