Lack of crowdsourced cybersecurity has made SolarWinds Orion vulnerable against a zero-day vulnerability on the authentication bypass section. The vulnerability that may make it possible to deploy the SUPERNOVA malware in target environments. Regardless of the reasons such as lack of crowdsourced cybersecurity contributing to this vulnerability, let us read what exactly Carnegie Mellon University researchers have stated:
“The authentication of the API can be bypassed by including specific parameters in the request; pathinfo portion of a URI request to the API. That could allow an attacker to execute unauthenticated API commands. SUPERNOVA is novel and potent due to its in-memory execution, sophistication in its parameters, and execution and flexibility by implementing a full programmatic API to the .NET runtime.
In particular, if an attacker appends a pathinfo parameter of ‘WebResource.adx,’ ‘ScriptResource.adx,’ ‘i18n.ashx,’ or ‘Skipi18n’ to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication.”
Carnegie Mellon University has recently warned SolarWinds Orion users about the weaknesses of SolarWinds Orion API used to connect all other Orion system products. That can lead SolarWinds Orion users to face attacks that are similar to what we call “man in the middle”. Therefore, attackers can execute unauthenticated API commands remotely.
History of the authentication bypass vulnerability in the SolarWinds Orion software
First, it was Microsoft that disclosed the possibility of the SolarWinds Orion being attacked by SUPERNOVA malware. Now that this vulnerability has been discovered in the favor of updated security advisory, they still have kept exact details of the deficiency stayed undefined until now.
The existence of this vulnerability has also been confirmed by Palo Alto Networks’ Unit 42 threat intelligence team and GuidePoint Security. They assessed the occurrence of this vulnerability as a result of the .NET web shell being implanted by modifying “app_web_logoimagehandler.ashx.b6031896.dll”.
If everything goes well on a network, the mission of DLL would be retrieving the logo image configured by a user. SUPERNOVA malware allows DLL to receive remote commands. The commands are received from the attacker and its effects on the server user. These effects may take place by executing the received command or just affecting the in-memory in the context of the server user.
How did SolarWinds get vulnerable?
Just like other types of vulnerabilities that have been discovered up to now, SolarWinds Orion vulnerability have has emerged gradually. ReversingLabs officers, Microsoft experts, and independent crowdsourced cybersecurity researchers had revealed that the getting vulnerable process has been underway since October 2019.
It seems that attackers accommodate original codes of SolarWinds Orion with their malware codes. Blending the codes by lacing a routine software update with innocuous modifications was enough to create a cybersecurity gap. A gap that could be easily discovered by crowdsourced cybersecurity, but now it is posing a leakage threat to the data of approximately 18000 users.
It was thought that SUPERNOVA was created by those who had created SUNBURST malware. However, there is no digital tracking code on the DLL affected by SUPERNOVA, unlike what researchers could track on SUNBURST malware.
The SUNBURST malware was first identified by FireEye experts. As they have stated, those who carry out suspicious acts such as spying, wipe their traces and remove their tools after achieving their goals.
It can be said that the lack of cybersecurity has put eighteen thousands of SolarWinds Orion in danger. Nevertheless, we are still not aware of the full consequences of the implementation of SUPERNOVA malware. Cybersecurity agents, independent crowdsourced cybersecurity providers, and bounty researchers are still researching into SUPERNOVA and the way it exploits the vulnerability of SolarWinds Orion.
What do Crowdsourced cybersecurity experts recommend?
If you are using the 2020 version of SolarWinds Orion software, you need to know that no further action is required as vulnerabilities have been found. Thanks to the SolarWinds Orion experts, independent crowdsourced cybersecurity and cybersecurity researchers, vulnerabilities have been addressed, and no further action is required.
Crowdsourced cybersecurity experts recommend that you update the software version you are using:
- Update 2019.4 HF 6 to the software released on December 14, 2020
- Update 2020.2.1 HF 2 to the software released on December 15, 2020
- Update 2019.2 SUPERNOVA Patch to the version released on December 23, 2020
- Update 2018.4 SUPERNOVA Patch to the version released on December 23, 2020
- Update 2018.2 SUPERNOVA Patch to the version released on December 23, 2020