Researchers disclosed multiple functions in Orion Platform which are dangerous enough to allow an attacker to perform privilege escalation. This privilege escalation has been tracked under CVE-2021-35234, letting an attacker steal password hashes and password salt information with low-user privileges. The report says that the vulnerability found in multiple functions of Network Performance Monitor is exposed to privilege escalation vulnerability. Let’s see how to fix CVE-2021-35234- Privilege Escalation in SolarWinds’s Orion Platform NPM (Network Performance Monitor).
What Is Orion Platform?
SolarWinds’s Orion platform is the underlying platform supporting SolarWinds’s IT management suite of products. It allows you to combine the various product modules of your choice into a unified view to help monitor, manage, and secure the infrastructure and applications.
There are several important functions the platform automates to help save time and reduce manual tasks. It allows you to gather performance metrics, utilization, and configuration of the entities you choose to monitor and view the data in a normalized and easy-to-understand format. It alerts you when anomalies occur and stores the historical information so you can see the trends over time.
The platform-based approach easily allows you to easily add product modules to expand your visibility and gather the different types of data you need. As more modules are added the more complete picture of your environment appears that enable your IT admins to collaborate and resolve the IT issues faster.
What Is SolarWinds Network Performance Monitor?
SolarWinds Network Performance Monitor (NPM) is a powerful and affordable product module of Orion Platform used to monitor the network infrastructure to quickly detect, diagnose, and resolve network performance problems and outages. NPM helps IT administrators to enhance their monitoring capability by correlating NetFlow, configuration, virtual, server, and application data. This would help to perform root cause analysis, resolve network performance problems, and outages.
Summary Of CVE-2021-35234- Privilege Escalation In SolarWinds’s Orion Platform:
The multiple functions in Orion Platform core allow an attacker to perform read-only SQL injection leading to a privileged escalation that lets the attacker steal password hashes and password salt information with low-user privileges. Report says that the vulnerability found in multiple functions of Network Performance Monitor is exposed to privilege escalation vulnerability.
|Associated CVE ID||CVE-2021-35234|
|Description||Privilege Escalation in SolarWinds’s Orion Platform.|
|Associated ZDI ID||ZDI-21-1596ZDI-21-1597ZDI-21-1598ZDI-21-1599ZDI-21-1600ZDI-21-1601ZDI-21-1602ZDI-21-1603ZDI-21-1604|
|Attack Vector (AV)||Adjacent Network|
|Attack Complexity (AC)||High|
|Privilege Required (PR)||Low|
|User Interaction (UI)||None|
List Of SolarWinds’s Network Performance Monitor Functions Affected With CVE-2021-35234:
The privilege escalation vulnerability was found in Network Performance Monitor functions. This vulnerability allows remote attackers to escalate privileges on affected installations of SolarWinds Network Performance Monitor. A crafted request can trigger the execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to escalate privileges to the level of an application administrator. Authentication is required to exploit this vulnerability. Let’s see the list of functions affected with CVE-2021-35234.
Versions Affected To CVE-2021-35234- Privilege Escalation In SolarWinds’s Orion Platform
As per the report, this vulnerability exists in Orion Platform 2020.2.6 Hot Fix 2 and earlier. The flaw is fixed in Orion Platform 2020.2.6 Hot Fix 3 and later. We recommend upgrading to the latest available version.
How To Fix CVE-2021-35234- Privilege Escalation In SolarWinds’s Orion Platform?
Possibly, you can manage the flaw in two ways.
- Install the hotfix: This method will fix the CVE-2021-35234 privilege escalation in the Orion Platform.
- Revoke “Alert Management” and “Report Management” rights for non-admin users: This method is a workaround for those who can’t apply hotfix immediately.
Install Hotfix Or Upgrade Orion Platform
Installation of hot fix is the best available solution to fix CVE-2021-35234- Privilege Escalation vulnerability in Network Performance Monitor.
- Log in to the SolarWinds Customer Portal and download the installer. If you are not registered yet. Register yourselves using your SolarWinds customer ID. You can install the hotfix in both online and offline ways.
- Online Method: To install the hotfix over the Internet, download the online installation file from Downloads > Download Product. Run the online installation file that will download and install the hotfix for you.
- Offline Method: To install the hotfix using the offline installer file, download the offline installation file from Downloads > Download Product. Run the offline installation file and then follow the instruction in the installation wizard.
Install The Hotfix In High Availability
Follow these instructions to install the hotfix in high availability:
Disable HA pool before you install hotfix. Or else, the HA pool will be disabled if you initiate the installation prior.
- Log in to the Orion Web Console, click Settings > All Settings > High Availability Deployment Summary.
- Select the pool you want to disable and toggle High Availability to Off.
- Install the hotfix (Explained in the previous section) on the primary server in the pool.
- Install the hotfix on the secondary server in the pool.
- Ensure all hotfixes are installed on all the products in the pool before enabling it.
- Toggle the High Availability to turn the HA pool on.
Revoke “Alert Management” And “Report Management” Rights
This is recommended only in the case when the immediate installation of hotfix is not possible. Follow these instructions to revoke Alert Management” and “Report Management” rights for non-admin Orion users:
- Log in to the Orion Web Console, click Settings > All Settings, and then click Manage Accounts.
- Select a non-admin user and click Edit.
- Make sure both Allow Alert Management Rights and Allow Report Management Rights options are set to No.
- Submit the changes and repeat this for all non-admin users.