CVE-2021-35226
📋 TL;DR
SolarWinds Network Configuration Manager (NCM) exposes encrypted password fields through the SolarWinds Information Service (SWIS) to authenticated users with NCM roles. This allows authorized users to potentially access sensitive credentials they shouldn't have access to. The vulnerability affects SolarWinds NCM installations with the misconfigured entity.
💻 Affected Systems
- SolarWinds Network Configuration Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious insider or compromised account with NCM role could access encrypted credentials, potentially leading to lateral movement, privilege escalation, or network compromise.
Likely Case
Authorized users could access credentials they're not supposed to see, violating least privilege principles and potentially enabling unauthorized access to managed devices.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized users who already have NCM access, though they gain unauthorized credential visibility.
🎯 Exploit Status
Exploitation requires existing NCM role authentication and knowledge of SWIS API endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2020.2.5 and later
Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35226
Restart Required: Yes
Instructions:
1. Download SolarWinds NCM 2020.2.5 or later from the SolarWinds Customer Portal. 2. Run the installer on the NCM server. 3. Follow upgrade prompts and restart services as required.
🔧 Temporary Workarounds
Restrict SWIS Access
windowsLimit access to SWIS API to only necessary users and systems.
Configure firewall rules to restrict access to SWIS port (17778 by default)
Review and tighten NCM role assignments in SolarWinds Orion
Audit NCM Role Assignments
allReview and remove unnecessary NCM role assignments to reduce attack surface.
In Orion Web Console: Settings > Manage Accounts > Review NCM role assignments
🧯 If You Can't Patch
- Implement strict access controls to SWIS and monitor for unusual API access patterns.
- Regularly audit NCM user accounts and remove unnecessary privileges.
🔍 How to Verify
Check if Vulnerable:
Check NCM version in Orion Web Console: Settings > All Settings > Product & License Information. If version is below 2020.2.5, system is vulnerable.Check Version:
In Orion Web Console: Settings > All Settings > Product & License InformationVerify Fix Applied:
Verify version is 2020.2.5 or higher in Product & License Information. Test that password fields are no longer exposed via SWIS API calls.📡 Detection & Monitoring
Log Indicators:
- Unusual SWIS API access patterns
- Multiple failed authentication attempts to SWIS
- Access to credential-related endpoints by non-admin users
Network Indicators:
- Unusual traffic to SWIS port (17778)
- API calls to credential-related endpoints
SIEM Query:
source="solarwinds" AND (event_type="api_access" AND (endpoint="*password*" OR endpoint="*credential*"))