Security researcher Sivathmican Sivakumaran of the Zero Day Initiative has released details on three recently patched vulnerabilities in the SolarWinds Orion platform, the combined exploitation of which allows an attacker to execute arbitrary code with administrator privileges without authorization on vulnerable systems. One of these vulnerabilities (CVE-2020-14005) was exploited in the recent SUNBURST attack on SolarWinds. However, the exact details of how this vulnerability is exploited in attacks, and whether it is exploited at all, are still unclear.
CVE-2020-14005 : Command injection and arbitrary VBScript execution
The product allows a user without administrator privileges to specify the path to execute a VBS script when an alert is triggered. There are no restrictions on storing VBS files on a remote SMB share, so an attacker can specify an arbitrary VBS script to execute.
CVE-2020-27869 : Privilege Escalation for SQL Injection
SolarWinds Orion also has a SQL injection vulnerability. It can be operated by a user without administrator privileges using the "Configure Action" parameter (or the corresponding API command).
CVE-2020-10148 : Authentication Bypass
While the vulnerabilities individually pose little threat, collectively they can allow an unauthorized attacker to remotely execute code at the highest level. The SolarWinds Orion platform is a critical infrastructure element in organizations. SolarWinds has released fixes to address these and other vulnerabilities.
The video below shows the cumulative exploitation of CVE-2020-10148 and CVE-2020-14005 to execute code with administrator privileges without authorization.