CVE-2021-35212 – CVE-2021-35212 is a blind Boolean SQL injection... (How to Fix)

Q: What is the severity of CVE-2021-35212?

CVE-2021-35212 has a CVSS score of 8.9 (HIGH). CVE-2021-35212 is a blind Boolean SQL injection vulnerability in SolarWinds Orion Platform that allows authenticated users to escalate privileges and gain full read/write access to the Orion database, including sensitive certificates. This affects any organization running vulnerable versions of SolarWinds Orion products. Attackers could compromise the entire Orion infrastructure through this vulnerability.

📋 TL;DR

CVE-2021-35212 is a blind Boolean SQL injection vulnerability in SolarWinds Orion Platform that allows authenticated users to escalate privileges and gain full read/write access to the Orion database, including sensitive certificates. This affects any organization running vulnerable versions of SolarWinds Orion products. Attackers could compromise the entire Orion infrastructure through this vulnerability.

💻 Affected Systems

Products:

SolarWinds Orion Platform

Versions: 2020.2.5 HF 1 and earlier versions

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Orion Platform deployments with default configurations. Requires authenticated access to exploit.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Orion database leading to certificate theft, lateral movement across network, and persistent backdoor access to managed systems.

🟠

Likely Case

Privilege escalation to administrative access, data exfiltration from Orion database, and potential credential harvesting.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access, and monitoring are implemented.

🌐 Internet-Facing: HIGH - Orion platforms often have internet-facing management interfaces, making them prime targets.

🏢 Internal Only: HIGH - Even internally, authenticated users can exploit this to gain administrative privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated. ZDI has published technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2020.2.6 or later

Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35212

Restart Required: Yes

Instructions:

1. Download Orion Platform 2020.2.6 or later from SolarWinds Customer Portal. 2. Backup current Orion installation. 3. Run the installer with administrative privileges. 4. Restart Orion services after installation completes.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to Orion Platform to only trusted administrative networks and users.

Principle of Least Privilege

all

Review and minimize user accounts with access to Orion Platform, removing unnecessary privileges.

🧯 If You Can't Patch

Implement strict network access controls to limit Orion Platform access to essential personnel only.
Enable detailed SQL query logging and monitor for unusual database access patterns.

🔍 How to Verify

Check if Vulnerable:

Check Orion Platform version in web interface under Settings > All Settings > Product Information.

Check Version:

Not applicable - check via Orion web interface or Windows Services for Orion version.

Verify Fix Applied:

Verify version is 2020.2.6 or later and test that SQL injection payloads no longer execute.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in Orion database logs
Multiple failed login attempts followed by successful authentication
Unexpected privilege escalation events

Network Indicators:

Unusual database connection patterns to Orion SQL server
HTTP requests containing SQL injection patterns to Orion web interface

SIEM Query:

source="orion_logs" AND ("sql injection" OR "privilege escalation" OR "unusual query")

📊 Metadata

CVE ID: CVE-2021-35212

CVSS v3 Score: 8.9 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

CWE: CWE-89

Published: August 31, 2021

Last Updated: November 21, 2024

🔗 References

https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm Vendor Advisory
https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/orion_platform_2020-2-6_release_notes.htm Release Notes,Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35212 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-1243/ Third Party Advisory,VDB Entry
https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm Vendor Advisory
https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/orion_platform_2020-2-6_release_notes.htm Release Notes,Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35212 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-1243/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-35212, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Orion Platform by Solarwinds

Orion Platform by Solarwinds

Orion Platform by Solarwinds

Orion Platform by Solarwinds

Orion Platform by Solarwinds

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Principle of Least Privilege

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities