CVE-2020-27871 – This vulnerability allows authenticated remote ... (How to Fix)

Q: What is the severity of CVE-2020-27871?

CVE-2020-27871 has a CVSS score of 7.2 (HIGH). This vulnerability allows authenticated remote attackers to bypass authentication and create arbitrary files on SolarWinds Orion Platform installations. Attackers can leverage this to execute arbitrary code with SYSTEM privileges. Affects SolarWinds Orion Platform 2020.2.1 installations.

📋 TL;DR

This vulnerability allows authenticated remote attackers to bypass authentication and create arbitrary files on SolarWinds Orion Platform installations. Attackers can leverage this to execute arbitrary code with SYSTEM privileges. Affects SolarWinds Orion Platform 2020.2.1 installations.

💻 Affected Systems

Products:

SolarWinds Orion Platform

Versions: 2020.2.1

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Orion Platform installation with VulnerabilitySettings.aspx accessible.

📦 What is this software?

Orion Platform by Solarwinds

View all CVEs affecting Orion Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary code execution as SYSTEM, leading to data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Unauthorized file creation leading to web shell deployment, privilege escalation, and subsequent system compromise.

🟢

If Mitigated

Limited to authenticated users only, with proper file validation preventing exploitation.

🌐 Internet-Facing: HIGH - Authentication bypass allows remote exploitation of internet-facing Orion instances.

🏢 Internal Only: HIGH - Internal attackers with any level of access can exploit to gain SYSTEM privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Authentication bypass exists, making exploitation easier for attackers with any level of access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2020.2.4 HF 2 or later

Vendor Advisory: https://www.solarwinds.com/securityadvisory

Restart Required: Yes

Instructions:

1. Download latest patch from SolarWinds Customer Portal. 2. Backup Orion database and configuration. 3. Run installer as administrator. 4. Restart Orion services.

🔧 Temporary Workarounds

Restrict access to VulnerabilitySettings.aspx

windows

Block access to the vulnerable endpoint via web server configuration or firewall rules.

# IIS URL Rewrite rule to block access
<rule name="Block VulnerabilitySettings" stopProcessing="true">
  <match url="VulnerabilitySettings\.aspx" />
  <action type="AbortRequest" />
</rule>

Implement strict authentication controls

all

Enforce multi-factor authentication and monitor for authentication bypass attempts.

🧯 If You Can't Patch

Isolate SolarWinds Orion server from internet and restrict internal network access.
Implement application allowlisting to prevent unauthorized file creation and execution.

🔍 How to Verify

Check if Vulnerable:

Check Orion version via web interface (Settings → About) or registry: HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Orion\Core

Check Version:

reg query "HKLM\SOFTWARE\SolarWinds\Orion\Core" /v Version

Verify Fix Applied:

Verify version is 2020.2.4 HF 2 or later and test that VulnerabilitySettings.aspx no longer accepts arbitrary file paths.

📡 Detection & Monitoring

Log Indicators:

Unusual file creation in Orion directories
Access to VulnerabilitySettings.aspx with suspicious parameters
Authentication bypass attempts in IIS logs

Network Indicators:

POST requests to /Orion/VulnerabilitySettings.aspx with file path parameters
Unusual outbound connections from Orion server

SIEM Query:

source="IIS" AND (uri="*VulnerabilitySettings.aspx*" AND (param="*path*" OR param="*file*"))

📊 Metadata

CVE ID: CVE-2020-27871

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: February 10, 2021

Last Updated: November 21, 2024

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-21-067/ Third Party Advisory,VDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-21-067/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-27871, you might also want to check these: