CVE-2021-35234
📋 TL;DR
This vulnerability in SolarWinds Orion Core allows authenticated low-privilege users to perform SQL injection attacks through exposed dangerous functions. Attackers can steal password hashes and salt information, potentially leading to privilege escalation. Organizations running vulnerable versions of SolarWinds Orion Platform are affected.
💻 Affected Systems
- SolarWinds Orion Platform
📦 What is this software?
Orion Platform by Solarwinds
Orion Platform by Solarwinds
Orion Platform by Solarwinds
Orion Platform by Solarwinds
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Orion Platform with administrative access, credential theft across the environment, and lateral movement to connected systems.
Likely Case
Privilege escalation from low-privilege user to administrator, theft of password hashes for offline cracking, and potential access to sensitive configuration data.
If Mitigated
Limited to authenticated users only, with proper network segmentation preventing lateral movement and strong password policies reducing hash cracking effectiveness.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. Multiple proof-of-concept examples exist in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2020.2.6 Hotfix 3 or later
Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35234
Restart Required: Yes
Instructions:
1. Download Hotfix 3 from SolarWinds Success Center. 2. Stop Orion services. 3. Apply the hotfix. 4. Restart Orion services. 5. Verify the patch is applied by checking version.
🔧 Temporary Workarounds
Restrict User Privileges
allMinimize the number of users with access to Orion Platform and apply principle of least privilege.
Network Segmentation
allIsolate Orion Platform from internet and restrict access to trusted networks only.
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the Orion Platform
- Enable detailed logging and monitoring for SQL injection attempts and unusual authentication patterns
🔍 How to Verify
Check if Vulnerable:
Check Orion Platform version in web interface or via 'About' in Orion Web Console. Versions 2020.2.6 and earlier are vulnerable.Check Version:
In Orion Web Console, navigate to Settings → About Orion to view version information.Verify Fix Applied:
Verify version is 2020.2.6 Hotfix 3 or later. Check patch installation logs for successful application of Hotfix 3.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries from authenticated users
- Multiple failed authentication attempts followed by successful login
- Access to password hash tables from non-admin accounts
Network Indicators:
- SQL injection patterns in HTTP requests to Orion endpoints
- Unusual outbound connections from Orion server
SIEM Query:
source="orion_logs" AND (event_type="sql_query" AND query CONTAINS "password_hash" OR query CONTAINS "password_salt")🔗 References
- https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/core-secure-configuration.htm
- https://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2020-2-6-Hotfix-3
- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35234
- https://www.zerodayinitiative.com/advisories/ZDI-21-1596/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1597/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1598/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1599/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1600/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1601/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1602/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1603/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1604/
- https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/core-secure-configuration.htm
- https://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2020-2-6-Hotfix-3
- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35234
- https://www.zerodayinitiative.com/advisories/ZDI-21-1596/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1597/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1598/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1599/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1600/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1601/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1602/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1603/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1604/
