3 Vulnerabilities in SolarWinds Orion Allows Remote Code Execution

(CVE-2020-14005) was exploited in the recent SUNBURST attack on SolarWinds.


Security researcher Sivathmican Sivakumaran of the Zero Day Initiative has released details on three recently patched vulnerabilities in the SolarWinds Orion platform, the combined exploitation of which allows an attacker to execute arbitrary code with administrator privileges without authorization on vulnerable systems. One of these vulnerabilities (CVE-2020-14005) was exploited in the recent SUNBURST attack on SolarWinds. However, the exact details of how this vulnerability is exploited in attacks, and whether it is exploited at all, are still unclear.


CVE-2020-14005 : Command injection and arbitrary VBScript execution

The product allows a user without administrator privileges to specify the path to execute a VBS script when an alert is triggered. There are no restrictions on storing VBS files on a remote SMB share, so an attacker can specify an arbitrary VBS script to execute.


CVE-2020-27869 : Privilege Escalation for SQL Injection

SolarWinds Orion also has a SQL injection vulnerability. It can be operated by a user without administrator privileges using the "Configure Action" parameter (or the corresponding API command).


CVE-2020-10148 : Authentication Bypass

After analyzing the hotfix provided by Hotfix 2, the Zero Day Initiative investigated a vulnerability that could bypass all authentication mechanisms. According to them, the application contains logic to bypass authentication when a client requests resources for which authentication is optional, such as JavaScript and CSS files. In particular, authentication can be bypassed if the request URL path contains "Skipi18n" or ends with "i18n.ashx", "WebResource.axd", or "ScriptResource.axd".


While the vulnerabilities individually pose little threat, collectively they can allow an unauthorized attacker to remotely execute code at the highest level. The SolarWinds Orion platform is a critical infrastructure element in organizations. SolarWinds has released fixes to address these and other vulnerabilities.


The video below shows the cumulative exploitation of CVE-2020-10148 and CVE-2020-14005 to execute code with administrator privileges without authorization.