On Saturday, December 26th, the US Computer Emergency Readiness Team (CERT) issued an alert for companies that use Solar Winds Orion software to apply a patch or mitigation to block access to vulnerable API endpoints and prevent unauthenticated remote code execution. This vulnerability can be exploited by any attacker and is not limited to the threat group responsible for the SUNBURST backdoor that was injected into the supply chain and discovered earlier this month. This vulnerability has apparently been exploited in the wild and is associated with the previously reported web shell known as SUPERNOVA, although it could be used to deliver other malicious payloads.
The official instructions from Solar Winds to mitigate this vulnerability prior to patching it includes a PowerShell script that downloads and installs the “URL Rewrite” extension for the Microsoft Internet Information Services (IIS) web server and edits the URL rewriting rules to block external requests for any URL ending in “ScriptResource.xsd” or “WebResource.xsd,” as well as any request for the resource “il8n.ashx” – this gives defenders and threat hunters an idea of what to look for in IIS access logs to see if attackers have already exploited or attempted to exploit this vulnerability. If companies are going to continue using Solar Winds Orion, they should update to version 2019.4 HF 6, 2020.2.1 HF 2, or apply the latest SUPERNOVA Patch, released on December 23rd.
US CERT advisory: https://kb.cert.org/vuls/id/843464
Solar Winds advisory: https://www.solarwinds.com/securityadvisory#anchor2
Mitigation instructions and script: https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip