APP: SolarWinds Orion NPM OrionModuleEngine Remote Code Execution
This signature detects attempts to exploit a known vulnerability against SolarWinds Orion NPM. A successful attack can lead to arbitrary code execution.
Extended Description
SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may be abused by an attacker to execute commands as the SYSTEM user.
Affected Products
Solarwinds orion_network_performance_monitor
References
CVE: CVE-2019-8917
Short Name
APP:SOLARWINDS-ORION-NPM-RCE
Severity
Major
Recommended
True
Recommended Action
Drop
Category
APP
Keywords
CVE-2019-8917 Code Execution NPM Orion OrionModuleEngine Remote SolarWinds
Release Date
06/04/2019
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3337
Port
TCP/17777
False Positive
Unknown
Vendors
Solarwinds
CVSS Score
10.0