CVE-2020-10148
Published: 29 December 2020
Summary
CVE-2020-10148 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Solarwinds Orion Platform. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
The vulnerability is an authentication bypass in the SolarWinds Orion API, tracked as CVE-2020-10148 with CVSS score 9.8. It affects the SolarWinds Orion Platform in versions 2019.4 HF 5, 2020.2 without hotfix, and 2020.2 HF 1, and is associated with CWE-288 and CWE-306. The flaw permits remote attackers to issue API commands without valid credentials, which can lead to full compromise of the SolarWinds instance.
An unauthenticated remote attacker can exploit the weakness over the network to bypass authentication controls and directly execute arbitrary API operations. Successful exploitation grants the attacker the ability to read, modify, or delete data and configuration settings within the Orion environment, potentially resulting in complete control of the monitoring platform and any connected systems.
SolarWinds has published a security advisory detailing the issue, and the CERT Coordination Center has released vulnerability note VU#843464 that references the same advisory and affected versions. These sources direct administrators to apply vendor-supplied hotfixes or upgrade to a patched release to eliminate the authentication bypass.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-2611
Vulnerability details
The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise…
more
of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces authentication and authorization checks on all API requests, directly blocking the unauthenticated command execution path in CVE-2020-10148.
Requires valid identification and authentication before granting access to organizational users or services, eliminating the authentication bypass exploited by the Orion API flaw.
Mandates prompt application of vendor hotfixes or upgrades that close the specific authentication bypass in the listed SolarWinds Orion versions.