cvelistv5 - CVE-2020-10148

CVE-2020-10148 (GCVE-0-2020-10148)

Vulnerability from cvelistv5

Published

2020-12-29 21:55

Modified

2025-10-21 23:35

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-288 - Authentication Bypass Using an Alternate Path or Channel

Summary

The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.

References

URL

Tags

cret@cert.org	https://kb.cert.org/vuls/id/843464	Third Party Advisory, US Government Resource
cret@cert.org	https://www.solarwinds.com/securityadvisory	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://kb.cert.org/vuls/id/843464	Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	https://www.kb.cert.org/vuls/id/843464	Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	https://www.solarwinds.com/securityadvisory	Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10148	US Government Resource

Impacted products

	Vendor	Product	Version
	SolarWinds	Orion Platform	Version: 2019.4 HF 5 Version: 2020.2 without hotfix Version: 2020.2 HF 1

CISA Known Exploited Vulnerability

Data from the CISA Known Exploited Vulnerabilities Catalog

Date added: 2021-11-03

Due date: 2022-05-03

Required action: Apply updates per vendor instructions.

Used in ransomware: Unknown

Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-10148

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T10:50:57.882Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://www.kb.cert.org/vuls/id/843464"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.solarwinds.com/securityadvisory"
          },
          {
            "name": "VU#843464",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT-VN",
              "x_transferred"
            ],
            "url": "https://kb.cert.org/vuls/id/843464"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:solarwinds:orion_platform:2019.4:hotfix5:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "orion_platform",
            "vendor": "solarwinds",
            "versions": [
              {
                "status": "affected",
                "version": "2019.4"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:solarwinds:orion_platform:2020.2.1:-:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "orion_platform",
            "vendor": "solarwinds",
            "versions": [
              {
                "status": "affected",
                "version": "2020.2.1"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:solarwinds:orion_platform:2020.2:hotfix1:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "orion_platform",
            "vendor": "solarwinds",
            "versions": [
              {
                "status": "affected",
                "version": "2020.2"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2020-10148",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-01T19:31:04.550116Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2021-11-03",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10148"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:35:30.955Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10148"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2021-11-03T00:00:00+00:00",
            "value": "CVE-2020-10148 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Orion Platform",
          "vendor": "SolarWinds",
          "versions": [
            {
              "status": "affected",
              "version": "2019.4 HF 5"
            },
            {
              "status": "affected",
              "version": "2020.2 without hotfix"
            },
            {
              "status": "affected",
              "version": "2020.2 HF 1"
            }
          ]
        }
      ],
      "datePublic": "2020-12-13T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-288",
              "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-29T21:55:16.000Z",
        "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "shortName": "certcc"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.solarwinds.com/securityadvisory"
        },
        {
          "name": "VU#843464",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT-VN"
          ],
          "url": "https://kb.cert.org/vuls/id/843464"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Users should update to the relevant versions of the SolarWinds Orion Platform:\n\n2019.4 HF 6 (released December 14, 2020)\n2020.2.1 HF 2 (released December 15, 2020)\n2019.2 SUPERNOVA Patch (released December 23, 2020)\n2018.4 SUPERNOVA Patch (released December 23, 2020)\n2018.2 SUPERNOVA Patch (released December 23, 2020)"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "AKA": "SUNBURST",
          "ASSIGNER": "cert@cert.org",
          "DATE_PUBLIC": "2020-12-13T00:00:00.000Z",
          "ID": "CVE-2020-10148",
          "STATE": "PUBLIC",
          "TITLE": "SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Orion Platform",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_name": "2019.4 HF 5",
                            "version_value": "2019.4 HF 5"
                          },
                          {
                            "version_affected": "=",
                            "version_name": "2020.2 without hotfix",
                            "version_value": "2020.2 without hotfix"
                          },
                          {
                            "version_affected": "=",
                            "version_name": "2020.2 HF 1",
                            "version_value": "2020.2 HF 1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "SolarWinds"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.solarwinds.com/securityadvisory",
              "refsource": "CONFIRM",
              "url": "https://www.solarwinds.com/securityadvisory"
            },
            {
              "name": "VU#843464",
              "refsource": "CERT-VN",
              "url": "https://kb.cert.org/vuls/id/843464"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Users should update to the relevant versions of the SolarWinds Orion Platform:\n\n2019.4 HF 6 (released December 14, 2020)\n2020.2.1 HF 2 (released December 15, 2020)\n2019.2 SUPERNOVA Patch (released December 23, 2020)\n2018.4 SUPERNOVA Patch (released December 23, 2020)\n2018.2 SUPERNOVA Patch (released December 23, 2020)"
          }
        ],
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
    "assignerShortName": "certcc",
    "cveId": "CVE-2020-10148",
    "datePublished": "2020-12-29T21:55:16.195Z",
    "dateReserved": "2020-03-05T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:35:30.955Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2020-10148",
      "cwes": "[\"CWE-288\"]",
      "dateAdded": "2021-11-03",
      "dueDate": "2022-05-03",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://nvd.nist.gov/vuln/detail/CVE-2020-10148",
      "product": "Orion",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "SolarWinds Orion API contains an authentication bypass vulnerability that could allow a remote attacker to execute API commands.",
      "vendorProject": "SolarWinds",
      "vulnerabilityName": "SolarWinds Orion Authentication Bypass Vulnerability"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-10148\",\"sourceIdentifier\":\"cret@cert.org\",\"published\":\"2020-12-29T22:15:12.327\",\"lastModified\":\"2025-10-24T14:36:09.547\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.\"},{\"lang\":\"es\",\"value\":\"La API Orion de SolarWinds es vulnerable a una omisi\u00f3n de autenticaci\u00f3n que podr\u00eda permitir a un atacante remoto ejecutar comandos de la API.\u0026#xa0;Esta vulnerabilidad podr\u00eda permitir a un atacante remoto omitir la autenticaci\u00f3n y ejecutar comandos de la API, lo que puede resultar en un compromiso de la instancia de SolarWinds.\u0026#xa0;Las versiones 2019.4 HF 5, 2020.2 de SolarWinds Orion Platform sin revisi\u00f3n instalada y 2020.2 HF 1 est\u00e1n afectadas\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"cisaExploitAdd\":\"2021-11-03\",\"cisaActionDue\":\"2022-05-03\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"SolarWinds Orion Authentication Bypass Vulnerability\",\"weaknesses\":[{\"source\":\"cret@cert.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-288\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:solarwinds:orion_platform:2019.4:hotfix5:*:*:*:*:*:*\",\"matchCriteriaId\":\"28A11AD1-B244-4725-90ED-0E656872004F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:solarwinds:orion_platform:2020.2:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"5857C0F0-37C5-4CF6-B921-7D5BFE065EAB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:solarwinds:orion_platform:2020.2.1:hotfix1:*:*:*:*:*:*\",\"matchCriteriaId\":\"60F65C7E-90D6-4BB5-BA76-593CD5786C95\"}]}]}],\"references\":[{\"url\":\"https://kb.cert.org/vuls/id/843464\",\"source\":\"cret@cert.org\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.solarwinds.com/securityadvisory\",\"source\":\"cret@cert.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://kb.cert.org/vuls/id/843464\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.kb.cert.org/vuls/id/843464\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.solarwinds.com/securityadvisory\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10148\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.kb.cert.org/vuls/id/843464\"}, {\"url\": \"https://www.solarwinds.com/securityadvisory\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://kb.cert.org/vuls/id/843464\", \"name\": \"VU#843464\", \"tags\": [\"third-party-advisory\", \"x_refsource_CERT-VN\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T10:50:57.882Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2020-10148\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-01T19:31:04.550116Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2021-11-03\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2020-10148\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:solarwinds:orion_platform:2019.4:hotfix5:*:*:*:*:*:*\"], \"vendor\": \"solarwinds\", \"product\": \"orion_platform\", \"versions\": [{\"status\": \"affected\", \"version\": \"2019.4\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:solarwinds:orion_platform:2020.2.1:-:*:*:*:*:*:*\"], \"vendor\": \"solarwinds\", \"product\": \"orion_platform\", \"versions\": [{\"status\": \"affected\", \"version\": \"2020.2.1\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:solarwinds:orion_platform:2020.2:hotfix1:*:*:*:*:*:*\"], \"vendor\": \"solarwinds\", \"product\": \"orion_platform\", \"versions\": [{\"status\": \"affected\", \"version\": \"2020.2\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-01T19:31:27.529Z\"}}], \"cna\": {\"title\": \"SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"affected\": [{\"vendor\": \"SolarWinds\", \"product\": \"Orion Platform\", \"versions\": [{\"status\": \"affected\", \"version\": \"2019.4 HF 5\"}, {\"status\": \"affected\", \"version\": \"2020.2 without hotfix\"}, {\"status\": \"affected\", \"version\": \"2020.2 HF 1\"}]}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Users should update to the relevant versions of the SolarWinds Orion Platform:\\n\\n2019.4 HF 6 (released December 14, 2020)\\n2020.2.1 HF 2 (released December 15, 2020)\\n2019.2 SUPERNOVA Patch (released December 23, 2020)\\n2018.4 SUPERNOVA Patch (released December 23, 2020)\\n2018.2 SUPERNOVA Patch (released December 23, 2020)\"}], \"datePublic\": \"2020-12-13T00:00:00\", \"references\": [{\"url\": \"https://www.solarwinds.com/securityadvisory\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://kb.cert.org/vuls/id/843464\", \"name\": \"VU#843464\", \"tags\": [\"third-party-advisory\", \"x_refsource_CERT-VN\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-288\", \"description\": \"CWE-288 Authentication Bypass Using an Alternate Path or Channel\"}]}], \"providerMetadata\": {\"orgId\": \"37e5125f-f79b-445b-8fad-9564f167944b\", \"shortName\": \"certcc\", \"dateUpdated\": \"2020-12-29T21:55:16\"}, \"x_legacyV4Record\": {\"source\": {\"discovery\": \"UNKNOWN\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_name\": \"2019.4 HF 5\", \"version_value\": \"2019.4 HF 5\", \"version_affected\": \"=\"}, {\"version_name\": \"2020.2 without hotfix\", \"version_value\": \"2020.2 without hotfix\", \"version_affected\": \"=\"}, {\"version_name\": \"2020.2 HF 1\", \"version_value\": \"2020.2 HF 1\", \"version_affected\": \"=\"}]}, \"product_name\": \"Orion Platform\"}]}, \"vendor_name\": \"SolarWinds\"}]}}, \"solution\": [{\"lang\": \"en\", \"value\": \"Users should update to the relevant versions of the SolarWinds Orion Platform:\\n\\n2019.4 HF 6 (released December 14, 2020)\\n2020.2.1 HF 2 (released December 15, 2020)\\n2019.2 SUPERNOVA Patch (released December 23, 2020)\\n2018.4 SUPERNOVA Patch (released December 23, 2020)\\n2018.2 SUPERNOVA Patch (released December 23, 2020)\"}], \"data_type\": \"CVE\", \"generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"references\": {\"reference_data\": [{\"url\": \"https://www.solarwinds.com/securityadvisory\", \"name\": \"https://www.solarwinds.com/securityadvisory\", \"refsource\": \"CONFIRM\"}, {\"url\": \"https://kb.cert.org/vuls/id/843464\", \"name\": \"VU#843464\", \"refsource\": \"CERT-VN\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-288 Authentication Bypass Using an Alternate Path or Channel\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2020-10148\", \"AKA\": \"SUNBURST\", \"STATE\": \"PUBLIC\", \"TITLE\": \"SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands\", \"ASSIGNER\": \"cert@cert.org\", \"DATE_PUBLIC\": \"2020-12-13T00:00:00.000Z\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2020-10148\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-16T17:28:03.664Z\", \"dateReserved\": \"2020-03-05T00:00:00\", \"assignerOrgId\": \"37e5125f-f79b-445b-8fad-9564f167944b\", \"datePublished\": \"2020-12-29T21:55:16.195722Z\", \"assignerShortName\": \"certcc\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

gsd-2020-10148

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

Aliases

CVE-2020-10148

Aliases

CVE-2020-10148

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-10148",
    "description": "The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.",
    "id": "GSD-2020-10148"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-10148"
      ],
      "details": "The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.",
      "id": "GSD-2020-10148",
      "modified": "2023-12-13T01:22:04.576623Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cisa.gov": {
      "cveID": "CVE-2020-10148",
      "dateAdded": "2021-11-03",
      "dueDate": "2022-05-03",
      "product": "SolarWinds Orion Platform",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.",
      "vendorProject": "SolarWinds",
      "vulnerabilityName": "SolarWinds Orion API Authentication Bypass Vulnerability"
    },
    "cve.org": {
      "CVE_data_meta": {
        "AKA": "SUNBURST",
        "ASSIGNER": "cert@cert.org",
        "DATE_PUBLIC": "2020-12-13T00:00:00.000Z",
        "ID": "CVE-2020-10148",
        "STATE": "PUBLIC",
        "TITLE": "SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Orion Platform",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_name": "2019.4 HF 5",
                          "version_value": "2019.4 HF 5"
                        },
                        {
                          "version_affected": "=",
                          "version_name": "2020.2 without hotfix",
                          "version_value": "2020.2 without hotfix"
                        },
                        {
                          "version_affected": "=",
                          "version_name": "2020.2 HF 1",
                          "version_value": "2020.2 HF 1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "SolarWinds"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.solarwinds.com/securityadvisory",
            "refsource": "CONFIRM",
            "url": "https://www.solarwinds.com/securityadvisory"
          },
          {
            "name": "VU#843464",
            "refsource": "CERT-VN",
            "url": "https://kb.cert.org/vuls/id/843464"
          }
        ]
      },
      "solution": [
        {
          "lang": "eng",
          "value": "Users should update to the relevant versions of the SolarWinds Orion Platform:\n\n2019.4 HF 6 (released December 14, 2020)\n2020.2.1 HF 2 (released December 15, 2020)\n2019.2 SUPERNOVA Patch (released December 23, 2020)\n2018.4 SUPERNOVA Patch (released December 23, 2020)\n2018.2 SUPERNOVA Patch (released December 23, 2020)"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:solarwinds:orion_platform:2019.4:hotfix5:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:solarwinds:orion_platform:2020.2.1:hotfix1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:solarwinds:orion_platform:2020.2:-:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cert@cert.org",
          "ID": "CVE-2020-10148"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "VU#843464",
              "refsource": "CERT-VN",
              "tags": [
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://kb.cert.org/vuls/id/843464"
            },
            {
              "name": "https://www.solarwinds.com/securityadvisory",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.solarwinds.com/securityadvisory"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2022-10-21T17:17Z",
      "publishedDate": "2020-12-29T22:15Z"
    }
  }
}

CERTFR-2020-ALE-026

Vulnerability from certfr_alerte

\[Mise à jour du 28 décembre 2020\] Le 27 décembre 2020, l'avis SolarWinds a été mis à jour pour apporter des précisions sur SUPERNOVA, un "code encoquillé" (*webshell*) déposé et exécuté *via* l'exploitation d'une vulnérabilité corrigée dans les dernières versions d'Orion. \[Mise à jour du 23 décembre 2020\]

Le 17 décembre, Palo Alto a publié un rapport [6] dans lequel ils indiquent qu’un webshell a été identifié dans une autre bibliothèque présente dans le serveur Web de la solution Orion. Ce webshell, dénommé SUPERNOVA, a la particularité de ne pas requérir la transmission d’un code exécutable par l’attaquant mais un code source en .NET qui sera exécuté en mémoire sur le serveur sans laisser de traces sur le disque.

\[Version initiale\] Le 8 décembre 2020, FireEye a annoncé avoir découvert une campagne d'intrusion par le biais d'une compromission de mise à jour de la plateforme de gestion et de supervision Orion de SolarWinds. Cette plate-forme a servi de vecteur pour une attaque par la chaîne d'approvisionnement (*supply chain attack)*. Les mises à jour ont été altérées afin d'inclure un maliciel appelé SUNBURST \[1\]. Le code malveillant permet à l'attaquant d'exécuter du code à distance et d'exfiltrer des données. L'éditeur confirme que certaines versions de son produit ont été altérées et a publié un avis afin de fournir toutes les informations pour que les utilisateurs puissent sécuriser leurs installations \[2\]. D'après FireEye, la campagne aurait commencé au printemps 2020 et continuerait actuellement. FireEye a mis à disposition des signatures de détection (cf \[3\]) pour ce maliciel.

Solution

**\[Version du 06 janvier 2021 - mise à jour de la recommandation sur la version logicielle à privilégier\]** Le CERT-FR recommande fortement : - de vérifier si la version utilisée est affectée. Si c'est le cas, l'éditeur recommande de déconnecter les serveurs et considérer que le système d'information a pu être compromis dans son ensemble. En effet, il s'agit ici d'un logiciel légitime contenant une porte dérobée malveillante. - de réaliser, dans la mesure du possible, une image des disques et de la mémoire des serveurs hébergeant le produit Orion, cela à titre conservatoire pour recherche postérieure. - de prendre connaissance des marqueurs tenus à jour par l’US-CERT concernant SUNBURST \[8\]. - de prendre connaissance des marqueurs concernant SUPERNOVA \[6\]. - d’inventorier toutes les machines supervisées par SolarWinds Orion afin de les analyser en priorité. - de procéder à des recherches de compromissions au sein du système d'information en privilégiant les marqueurs réseau puis les indicateurs de compromission ‘système’. Microsoft a notamment centralisé la documentation sur les aspects techniques liés à cette compromission \[9\]. - de contrôler les potentielles modifications au niveau des annuaires Active Directory et notamment l’ajout de privilèges élevés à des comptes \[10\] ou l’ajout d’approbations entre domaines ou forêts \[11\]. - de contrôler l’utilisation anormale de jetons SAML notamment avec les plates-formes Office365/Azure AD. - **de mettre à jour la solution Orion vers la version 2020.2.1 HF2 ou à défaut vers la version 2019.4 HF 6 ** Pour rappel, le CERT-FR a publié un guide à suivre en cas d’intrusion \[5\]. ------------------------------------------------------------------------ La mise à jour d’un produit ou d’un logiciel est une opération délicate qui doit être menée avec prudence. Il est notamment recommandé d’effectuer des tests autant que possible. Des dispositions doivent également être prises pour garantir la continuité de service en cas de difficultés lors de l’application des mises à jour comme des correctifs ou des changements de version.

[Mise à jour du 06 janvier 2021]

Plateforme Orion de SolarWinds versions antérieures à 2019.4 HF 6 et 2020.2.1 HF 2

Important : le code malveillant SUNBURST n'est présent que dans les versions citées ci-dessous, cependant l'éditeur considère que la vulnérabilité CVE-2020-10148 [12][13] permettant notamment l'installation du webshell SUPERNOVA est présente dans toutes les versions antérieures.

[Mise à jour du 17 décembre 2020]

Plateforme Orion de SolarWinds versions 2019.4 HF 5 à 2020 2.1 HF 1

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

[6] Rapport Palo Alto	-	other
[5] Les bons réflexes en cas d’intrusion sur un système d’information	-	other
[8] Alerte US-CERT et liste des marqueurs	-	other
[13] avis CERT-FR CERTFR-2020-AVI-845 du 28 décembre 2020	-	other
[2] Avis de sécurité de l'éditeur	-	other
[9] Référence documentaire Microsoft	-	other
[4] Article de MSRC	-	other
[11] Outil de détection Microsoft	-	other
[10] Outil de détection Microsoft	-	other
[7] Rapport Microsoft du 18 décembre 2020	-	other
[3] Signature de détection proposée par FireEye	-	other
[1] Papier de recherche de FireEye	-	other
[12] CVE-2020-10148	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cp\u003e\u003cstrong\u003e[Mise \u00e0 jour du 06 janvier 2021]\u003c/strong\u003e\u003c/p\u003e \u003cul\u003e \u003cli\u003ePlateforme Orion de SolarWinds versions ant\u00e9rieures \u00e0 2019.4 HF 6 et 2020.2.1 HF 2\u003c/li\u003e \u003c/ul\u003e \u003cp\u003e\u003cu\u003e\u003cstrong\u003eImportant\u003c/strong\u003e\u003c/u\u003e : le code malveillant SUNBURST n\u0027est pr\u00e9sent que dans les versions cit\u00e9es ci-dessous, cependant l\u0027\u00e9diteur consid\u00e8re que la vuln\u00e9rabilit\u00e9 CVE-2020-10148 [12][13] permettant notamment l\u0027installation du webshell SUPERNOVA est pr\u00e9sente \u003cu\u003edans toutes les versions ant\u00e9rieures\u003c/u\u003e.\u003c/p\u003e \u003cp\u003e\u0026nbsp;\u003c/p\u003e \u003cp\u003e\u003cstrong\u003e[Mise \u00e0 jour du 17 d\u00e9cembre 2020]\u003c/strong\u003e\u003c/p\u003e \u003cul\u003e \u003cli\u003ePlateforme Orion de SolarWinds versions 2019.4 HF 5 \u00e0 2020 2.1 HF 1\u003c/li\u003e \u003c/ul\u003e ",
  "closed_at": "2021-04-15",
  "content": "## Solution\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\n**\\[Version du 06 janvier 2021 - mise \u00e0 jour de la recommandation sur la\nversion logicielle \u00e0 privil\u00e9gier\\]**\n\n\u003c/div\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\nLe CERT-FR recommande fortement :\n\n-   de v\u00e9rifier si la version utilis\u00e9e est affect\u00e9e. Si c\u0027est le cas,\n    l\u0027\u00e9diteur recommande de d\u00e9connecter les serveurs et consid\u00e9rer que\n    le syst\u00e8me d\u0027information a pu \u00eatre compromis \u003cu\u003edans son\n    ensemble\u003c/u\u003e. En effet, il s\u0027agit ici d\u0027un logiciel l\u00e9gitime\n    contenant une porte d\u00e9rob\u00e9e malveillante.\n-   de r\u00e9aliser, dans la mesure du possible, une image des disques et de\n    la m\u00e9moire des serveurs h\u00e9bergeant le produit Orion, cela \u00e0 titre\n    conservatoire pour recherche post\u00e9rieure.\n-   de prendre connaissance des marqueurs tenus \u00e0 jour par l\u2019US-CERT\n    concernant SUNBURST \\[8\\].\n-   de prendre connaissance des marqueurs concernant SUPERNOVA \\[6\\].\n-   d\u2019inventorier toutes les machines supervis\u00e9es par SolarWinds Orion\n    afin de les analyser en priorit\u00e9.\n-   de proc\u00e9der \u00e0 des recherches de compromissions au sein du syst\u00e8me\n    d\u0027information en privil\u00e9giant les marqueurs r\u00e9seau puis les\n    indicateurs de compromission \u2018syst\u00e8me\u2019. Microsoft a notamment\n    centralis\u00e9 la documentation sur les aspects techniques li\u00e9s \u00e0 cette\n    compromission \\[9\\].\n-   de contr\u00f4ler les potentielles modifications au niveau des annuaires\n    Active Directory et notamment l\u2019ajout de privil\u00e8ges \u00e9lev\u00e9s \u00e0 des\n    comptes \\[10\\] ou l\u2019ajout d\u2019approbations entre domaines ou for\u00eats\n    \\[11\\].\n-   de contr\u00f4ler l\u2019utilisation anormale de jetons SAML notamment avec\n    les plates-formes Office365/Azure AD.\n-   **de mettre \u00e0 jour la solution Orion vers la version 2020.2.1 HF2 ou\n    \u00e0 d\u00e9faut vers la version 2019.4 HF 6  \n    **\n\nPour rappel, le CERT-FR a publi\u00e9 un guide \u00e0 suivre en cas d\u2019intrusion\n\\[5\\].\n\n------------------------------------------------------------------------\n\nLa mise \u00e0 jour d\u2019un produit ou d\u2019un logiciel est une op\u00e9ration d\u00e9licate\nqui doit \u00eatre men\u00e9e avec prudence. Il est notamment recommand\u00e9\nd\u2019effectuer des tests autant que possible. Des dispositions doivent\n\u00e9galement \u00eatre prises pour garantir la continuit\u00e9 de service en cas de\ndifficult\u00e9s lors de l\u2019application des mises \u00e0 jour comme des correctifs\nou des changements de version.\n\n\u003c/div\u003e\n\n\u003c/div\u003e\n",
  "cves": [
    {
      "name": "CVE-2020-10148",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-10148"
    }
  ],
  "initial_release_date": "2020-12-14T00:00:00",
  "last_revision_date": "2021-04-15T00:00:00",
  "links": [
    {
      "title": "[6] Rapport Palo Alto",
      "url": "https://unit42.paloaltonetworks.com/solarstorm-supernova/"
    },
    {
      "title": "[5] Les bons r\u00e9flexes en cas d\u2019intrusion sur un syst\u00e8me d\u2019information",
      "url": "https://www.cert.ssi.gouv.fr/information/CERTA-2002-INF-002/"
    },
    {
      "title": "[8] Alerte US-CERT et liste des marqueurs",
      "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-352a"
    },
    {
      "title": "[13] avis CERT-FR CERTFR-2020-AVI-845 du 28 d\u00e9cembre 2020",
      "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2020-AVI-845/"
    },
    {
      "title": "[2] Avis de s\u00e9curit\u00e9 de l\u0027\u00e9diteur",
      "url": "https://www.solarwinds.com/securityadvisory"
    },
    {
      "title": "[9] R\u00e9f\u00e9rence documentaire Microsoft",
      "url": "https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/"
    },
    {
      "title": "[4] Article de MSRC",
      "url": "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/"
    },
    {
      "title": "[11] Outil de d\u00e9tection Microsoft",
      "url": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml"
    },
    {
      "title": "[10] Outil de d\u00e9tection Microsoft",
      "url": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml"
    },
    {
      "title": "[7] Rapport Microsoft du 18 d\u00e9cembre 2020",
      "url": "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/"
    },
    {
      "title": "[3] Signature de d\u00e9tection propos\u00e9e par FireEye",
      "url": "https://github.com/fireeye/sunburst_countermeasures"
    },
    {
      "title": "[1] Papier de recherche de FireEye",
      "url": "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
    },
    {
      "title": "[12] CVE-2020-10148",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-10148"
    }
  ],
  "reference": "CERTFR-2020-ALE-026",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-12-14T00:00:00.000000"
    },
    {
      "description": "Correction d\u0027une coquille.",
      "revision_date": "2020-12-15T00:00:00.000000"
    },
    {
      "description": "Mise \u00e0 jour des informations concernant les versions affect\u00e9es et la publication des versions correctives.",
      "revision_date": "2020-12-17T00:00:00.000000"
    },
    {
      "description": "Mise \u00e0 jour de l\u0027alerte pour mentionner la d\u00e9couverte de Supernova et ajout de r\u00e9f\u00e9rences documentaires",
      "revision_date": "2020-12-23T00:00:00.000000"
    },
    {
      "description": "Mise \u00e0 jour de l\u0027alerte pour ajouter les pr\u00e9cisions de SolarWinds sur Supernova.",
      "revision_date": "2020-12-28T00:00:00.000000"
    },
    {
      "description": "Mise \u00e0 jour de l\u0027alerte pour ajouter les pr\u00e9cisions de SolarWinds sur Supernova en date du 31 d\u00e9cembre 2020.",
      "revision_date": "2021-01-06T00:00:00.000000"
    },
    {
      "description": "correction d\u0027une erreur dans l\u0027identifiant de la CVE.",
      "revision_date": "2021-01-07T00:00:00.000000"
    },
    {
      "description": "Cl\u00f4ture de l\u0027alerte. Cela ne signifie pas la fin d\u0027une menace. Seule l\u0027application des mesures correctives permet d\u0027\u00e9liminer la compromission.",
      "revision_date": "2021-04-15T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "\u003cdiv markdown=\"1\"\u003e\n\n\u003cstrong\u003e\\[Mise \u00e0 jour du 28 d\u00e9cembre 2020\\]\u003c/strong\u003e\n\n\u003c/div\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\nLe 27 d\u00e9cembre 2020, l\u0027avis SolarWinds a \u00e9t\u00e9 mis \u00e0 jour pour\u00a0apporter\ndes pr\u00e9cisions sur SUPERNOVA, un \"code encoquill\u00e9\" (*webshell*) d\u00e9pos\u00e9\net ex\u00e9cut\u00e9 *via* l\u0027exploitation d\u0027une vuln\u00e9rabilit\u00e9 corrig\u00e9e dans les\nderni\u00e8res versions d\u0027Orion.\n\n\u003c/div\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003cstrong\u003e\\[Mise \u00e0 jour du 23 d\u00e9cembre 2020\\]\u003c/strong\u003e\n\n\u003c/div\u003e\n\nLe 17 d\u00e9cembre, Palo Alto a publi\u00e9 un rapport \\[6\\] dans lequel ils\nindiquent qu\u2019un *webshell* a \u00e9t\u00e9 identifi\u00e9 dans une autre biblioth\u00e8que\npr\u00e9sente dans le serveur Web de la solution Orion. Ce *webshell*,\nd\u00e9nomm\u00e9 SUPERNOVA, a la particularit\u00e9 de ne pas requ\u00e9rir la transmission\nd\u2019un code ex\u00e9cutable par l\u2019attaquant mais un code source en .NET qui\nsera ex\u00e9cut\u00e9 en m\u00e9moire sur le serveur sans laisser de traces sur le\ndisque.\n\n\u003cdiv markdown=\"1\"\u003e\n\n\u003cstrong\u003e\\[Version initiale\\]\u003c/strong\u003e\n\n\u003c/div\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\nLe 8 d\u00e9cembre 2020, FireEye a annonc\u00e9 avoir d\u00e9couvert une campagne\nd\u0027intrusion par le biais d\u0027une compromission de mise \u00e0 jour de la\nplateforme de gestion et de supervision Orion de SolarWinds. Cette\nplate-forme a servi de vecteur pour une attaque par la cha\u00eene\nd\u0027approvisionnement (*supply chain attack)*. Les mises \u00e0 jour ont \u00e9t\u00e9\nalt\u00e9r\u00e9es afin d\u0027inclure un maliciel appel\u00e9 SUNBURST \\[1\\]. Le code\nmalveillant permet \u00e0 l\u0027attaquant d\u0027ex\u00e9cuter du code \u00e0 distance et\nd\u0027exfiltrer des donn\u00e9es.\n\n\u003c/div\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\nL\u0027\u00e9diteur confirme que certaines versions de son produit ont \u00e9t\u00e9\nalt\u00e9r\u00e9es et a publi\u00e9 un avis afin de fournir toutes les informations\npour que les utilisateurs puissent s\u00e9curiser leurs installations \\[2\\].\n\n\u003c/div\u003e\n\n\u003cdiv markdown=\"1\"\u003e\n\nD\u0027apr\u00e8s FireEye, la campagne aurait commenc\u00e9 au printemps 2020 et\ncontinuerait actuellement. FireEye a mis \u00e0 disposition des signatures de\nd\u00e9tection (cf \\[3\\]) pour ce maliciel.\n\n\u003c/div\u003e\n",
  "title": "[MaJ] Pr\u00e9sence de code malveillant dans SolarWinds Orion",
  "vendor_advisories": []
}

fkie_cve-2020-10148

Vulnerability from fkie_nvd

Published

2020-12-29 22:15

Modified

2025-10-24 14:36

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cret@cert.org	https://kb.cert.org/vuls/id/843464	Third Party Advisory, US Government Resource
cret@cert.org	https://www.solarwinds.com/securityadvisory	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://kb.cert.org/vuls/id/843464	Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	https://www.kb.cert.org/vuls/id/843464	Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	https://www.solarwinds.com/securityadvisory	Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10148	US Government Resource

Impacted products

Vendor	Product	Version
solarwinds	orion_platform	2019.4
solarwinds	orion_platform	2020.2
solarwinds	orion_platform	2020.2.1

JSON

To clipboard

{
  "cisaActionDue": "2022-05-03",
  "cisaExploitAdd": "2021-11-03",
  "cisaRequiredAction": "Apply updates per vendor instructions.",
  "cisaVulnerabilityName": "SolarWinds Orion Authentication Bypass Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:solarwinds:orion_platform:2019.4:hotfix5:*:*:*:*:*:*",
              "matchCriteriaId": "28A11AD1-B244-4725-90ED-0E656872004F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:solarwinds:orion_platform:2020.2:-:*:*:*:*:*:*",
              "matchCriteriaId": "5857C0F0-37C5-4CF6-B921-7D5BFE065EAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:solarwinds:orion_platform:2020.2.1:hotfix1:*:*:*:*:*:*",
              "matchCriteriaId": "60F65C7E-90D6-4BB5-BA76-593CD5786C95",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected."
    },
    {
      "lang": "es",
      "value": "La API Orion de SolarWinds es vulnerable a una omisi\u00f3n de autenticaci\u00f3n que podr\u00eda permitir a un atacante remoto ejecutar comandos de la API.\u0026#xa0;Esta vulnerabilidad podr\u00eda permitir a un atacante remoto omitir la autenticaci\u00f3n y ejecutar comandos de la API, lo que puede resultar en un compromiso de la instancia de SolarWinds.\u0026#xa0;Las versiones 2019.4 HF 5, 2020.2 de SolarWinds Orion Platform sin revisi\u00f3n instalada y 2020.2 HF 1 est\u00e1n afectadas"
    }
  ],
  "id": "CVE-2020-10148",
  "lastModified": "2025-10-24T14:36:09.547",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2020-12-29T22:15:12.327",
  "references": [
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://kb.cert.org/vuls/id/843464"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.solarwinds.com/securityadvisory"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://kb.cert.org/vuls/id/843464"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://www.kb.cert.org/vuls/id/843464"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.solarwinds.com/securityadvisory"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10148"
    }
  ],
  "sourceIdentifier": "cret@cert.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-288"
        }
      ],
      "source": "cret@cert.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CERTFR-2020-AVI-845

Vulnerability from certfr_avis

Une vulnérabilité a été découverte dans l'API Orion de SolarWinds. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SolarWinds	Orion	SolarWinds Orion API version 2018.4 sans le correctif SUPERNOVA Patch (publié le 23 Décembre 2020)
SolarWinds	Orion	SolarWinds Orion API version 2020.2.1 sans le correctif HF 2 (publié le 15 Décembre 2020)
SolarWinds	Orion	SolarWinds Orion API version 2019.2 sans le correctif SUPERNOVA Patch (publié le 23 Décembre 2020)
SolarWinds	Orion	SolarWinds Orion API version 2019.4 sans le correctif HF 6 (publié le 14 Décembre 2020)
SolarWinds	Orion	SolarWinds Orion API version 2018.2 sans le correctif SUPERNOVA Patch (publié le 23 Décembre 2020)

References

Title

Publication Time

Tags

Bulletin de sécurité SolarWinds 843464 du 26 décembre 2020

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SolarWinds Orion API version 2018.4 sans le correctif SUPERNOVA Patch (publi\u00e9 le 23 D\u00e9cembre 2020)",
      "product": {
        "name": "Orion",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    },
    {
      "description": "SolarWinds Orion API version 2020.2.1 sans le correctif HF 2 (publi\u00e9 le 15 D\u00e9cembre 2020)",
      "product": {
        "name": "Orion",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    },
    {
      "description": "SolarWinds Orion API version 2019.2 sans le correctif SUPERNOVA Patch (publi\u00e9 le 23 D\u00e9cembre 2020)",
      "product": {
        "name": "Orion",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    },
    {
      "description": "SolarWinds Orion API version 2019.4 sans le correctif HF 6 (publi\u00e9 le 14 D\u00e9cembre 2020)",
      "product": {
        "name": "Orion",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    },
    {
      "description": "SolarWinds Orion API version 2018.2 sans le correctif SUPERNOVA Patch (publi\u00e9 le 23 D\u00e9cembre 2020)",
      "product": {
        "name": "Orion",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-10148",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-10148"
    }
  ],
  "initial_release_date": "2020-12-28T00:00:00",
  "last_revision_date": "2020-12-28T00:00:00",
  "links": [],
  "reference": "CERTFR-2020-AVI-845",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-12-28T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans l\u0027API Orion de SolarWinds. Elle\npermet \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0\ndistance.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans SolarWinds Orion API",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SolarWinds 843464 du 26 d\u00e9cembre 2020",
      "url": "https://kb.cert.org/vuls/id/843464"
    }
  ]
}

ghsa-7c8f-5r89-mjgx

Vulnerability from github

Published

2022-05-24 17:37

Modified

2025-10-22 00:32

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-10148"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-288",
      "CWE-306"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-29T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.",
  "id": "GHSA-7c8f-5r89-mjgx",
  "modified": "2025-10-22T00:32:01Z",
  "published": "2022-05-24T17:37:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10148"
    },
    {
      "type": "WEB",
      "url": "https://kb.cert.org/vuls/id/843464"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10148"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/843464"
    },
    {
      "type": "WEB",
      "url": "https://www.solarwinds.com/securityadvisory"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2020-10148 (GCVE-0-2020-10148)

Vulnerability from cvelistv5

CISA Known Exploited Vulnerability

Data from the CISA Known Exploited Vulnerabilities Catalog

gsd-2020-10148

Vulnerability from gsd

CERTFR-2020-ALE-026

Vulnerability from certfr_alerte

Solution

fkie_cve-2020-10148

Vulnerability from fkie_nvd

CERTFR-2020-AVI-845

Vulnerability from certfr_avis

Solution

ghsa-7c8f-5r89-mjgx

Vulnerability from github

Tags

Sightings

Nomenclature