An authentication bypass vulnerability in the SolarWinds Orion software may have been used as a zero-day to deploy the SUPERNOVA malware in target environments.
SolarWinds has published a new advisory according to which the SolarWinds Orion API which was used to interface with all other Orion system monitoring and management products suffers from a security flaw (CVE-2020-10148) which could let any remote attacker to execute unauthenticated API commands, thus resulting in a compromise of the SolarWinds instance.
SolarWinds, released an updated security advisory on December 24, stating that malicious software could be deployed through the exploitation of a vulnerability in the Orion Platform. More details regarding the vulnerability are not known.
Last week, Microsoft disclosed that a second threat actor might have been abusing SolarWinds’ Orion software to insert an additional piece of malware called SUPERNOVA on target systems.
This was also confirmed by cybersecurity firms Palo Alto Networks’ Unit 42 threat intelligence team and GuidePoint Security, who have described it as a .NET web shell implemented by modifying an “app_web_logoimagehandler.ashx.b6031896.dll” module of the SolarWinds Orion application.
The purpose of the DLL is to return the logo image configured by a user to other components of the Orion web application via an HTTP API. But the malware allowed it to receive remote commands from an attacker-controlled server and execute them in-memory in the context of the server user.
The SUPERNOVA web shell is believed to be inserted by an unidentified third-party and not the SUNBURST actors (tracked as “UNC2452”) as the DLL is not digitally signed, unlike the SUNBURST DLL.
FireEye, who first revealed the SUNBURST implant, stated that the actors behind the operation routinely removed their tools, including the backdoors, after getting legitimate remote access which suggests a high degree of technical sophistication and attention to operational security.
In order to address the authentication bypass vulnerability, the users are advised to update to the relevant versions of the SolarWinds Orion Platform:
2019.4 HF 6 (released December 14, 2020)
2020.2.1 HF 2 (released December 15, 2020)
2019.2 SUPERNOVA Patch (released December 23, 2020)
2018.4 SUPERNOVA Patch (released December 23, 2020)
2018.2 SUPERNOVA Patch (released December 23, 2020)
Those customers who have already upgraded to the 2020.2.1 HF 2 or 2019.4 HF 6 versions, must note that both the SUNBURST and SUPERNOVA vulnerabilities have been addressed, and no further action is required.