CVE-2021-27277
📋 TL;DR
This vulnerability allows local attackers with low-privileged access to escalate privileges to SYSTEM level via insecure deserialization in SolarWinds Orion Virtual Infrastructure Monitor. Attackers can execute arbitrary code with full system control. Affects SolarWinds Orion Virtual Infrastructure Monitor 2020.2 installations.
💻 Affected Systems
- SolarWinds Orion Virtual Infrastructure Monitor
📦 What is this software?
Orion Platform by Solarwinds
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, data exfiltration, and lateral movement across the network.
Likely Case
Privilege escalation from low-privileged user to SYSTEM, allowing attackers to bypass security controls and maintain persistence on compromised systems.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are enforced, though local privilege escalation remains possible.
🎯 Exploit Status
Requires existing low-privileged access to the system. The vulnerability is in a documented WCF service, making exploitation feasible for skilled attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2020.2.5
Vendor Advisory: https://documentation.solarwinds.com/en/Success_Center/SAM/Content/Release_Notes/SAM_2020-2-5_release_notes.htm#Fixed
Restart Required: Yes
Instructions:
1. Download SolarWinds Orion Virtual Infrastructure Monitor 2020.2.5 from the SolarWinds customer portal. 2. Run the installer with administrative privileges. 3. Follow the upgrade wizard. 4. Restart the system after installation completes.
🔧 Temporary Workarounds
Disable OneTimeJobSchedulerEventsService
windowsStop and disable the vulnerable WCF service to prevent exploitation.
sc stop OneTimeJobSchedulerEventsService
sc config OneTimeJobSchedulerEventsService start= disabled
Restrict service permissions
windowsApply strict ACLs to limit which users can interact with the vulnerable service.
sc sdset OneTimeJobSchedulerEventsService D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SolarWinds systems from critical assets.
- Enforce least privilege access controls to minimize the impact of low-privileged compromise.
🔍 How to Verify
Check if Vulnerable:
Check if SolarWinds Orion Virtual Infrastructure Monitor version is 2020.2 and the OneTimeJobSchedulerEventsService is running.Check Version:
wmic product where "name like 'SolarWinds Orion Virtual Infrastructure Monitor%'" get versionVerify Fix Applied:
Verify the installed version is 2020.2.5 or later using the SolarWinds web interface or version check command.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from the OneTimeJobSchedulerEventsService
- Failed or successful privilege escalation attempts in Windows Event Logs
Network Indicators:
- Unusual outbound connections from the SolarWinds system following local compromise
SIEM Query:
source="windows" AND (process_name="OneTimeJobSchedulerEventsService" AND (parent_process!="services.exe" OR command_line CONTAINS "deserialize"))🔗 References
- https://documentation.solarwinds.com/en/Success_Center/SAM/Content/Release_Notes/SAM_2020-2-5_release_notes.htm#Fixed
- https://www.zerodayinitiative.com/advisories/ZDI-21-373/
- https://documentation.solarwinds.com/en/Success_Center/SAM/Content/Release_Notes/SAM_2020-2-5_release_notes.htm#Fixed
- https://www.zerodayinitiative.com/advisories/ZDI-21-373/
