CVE-2020-10148 SolarWinds Orion API Auth Bypass

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2020-10148 detection.emerging-threats ·

Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts

Sigma rule (View on GitHub)

 1title: CVE-2020-10148 SolarWinds Orion API Auth Bypass
 2id: 5a35116f-43bc-4901-b62d-ef131f42a9af
 3status: test
 4description: Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts
 5references:
 6    - https://kb.cert.org/vuls/id/843464
 7author: Bhabesh Raj, Tim Shelton
 8date: 2020-12-27
 9modified: 2023-01-02
10tags:
11    - attack.initial-access
12    - attack.t1190
13    - cve.2020-10148
14    - detection.emerging-threats
15logsource:
16    category: webserver
17detection:
18    selection:
19        cs-uri-query|contains:
20            - '/WebResource.axd'
21            - '/ScriptResource.axd'
22            - '/i18n.ashx'
23            - '/Skipi18n'
24    selection2:
25        cs-uri-query|contains:
26            - '/SolarWinds/'
27            - '/api/'
28    valid_request_1:
29        cs-uri-query|contains: 'Orion/Skipi18n/Profiler/'
30    valid_request_2:
31        cs-uri-query|contains:
32            - 'css.i18n.ashx'
33            - 'js.i18n.ashx'
34    condition: all of selection* and not 1 of valid_request_*
35falsepositives:
36    - Unknown
37level: critical

References

CERT/CC Vulnerability Note VU#843464

SolarWinds Orion API authentication bypass allows remote command execution

Read More

CVE-2020-10148 SolarWinds Orion API Auth Bypass

Sigma rule (View on GitHub)

References

CERT/CC Vulnerability Note VU#843464

Related rules