CVE-2021-35244 Overview
CVE-2021-35244 is an unrestricted file upload vulnerability affecting the SolarWinds Orion Platform. The "Log alert to a file" action within the action management feature enables any Orion Platform user with Orion alert management rights to write to any file on the system. An attacker with Orion alert management rights could leverage this vulnerability to perform an unrestricted file upload, ultimately achieving remote code execution on the affected system.
Critical Impact
Authenticated attackers with alert management privileges can achieve remote code execution by exploiting the unrestricted file write capability, potentially compromising the entire Orion Platform infrastructure and connected network monitoring systems.
Affected Products
- SolarWinds Orion Platform (versions prior to 2020.2.6 Hotfix 3)
- SolarWinds Orion Platform 2020.2.6
- SolarWinds Orion Platform 2020.2.6 Hotfix 1 and Hotfix 2
- Microsoft Windows (as the underlying operating system)
Discovery Timeline
- December 20, 2021 - CVE-2021-35244 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-35244
Vulnerability Analysis
This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The flaw exists in the action management component of the SolarWinds Orion Platform, specifically within the "Log alert to a file" functionality. The vulnerability allows authenticated users with alert management permissions to specify arbitrary file paths when configuring alert logging, effectively bypassing intended file system access restrictions.
The attack requires network access and high privileges (alert management rights), but once these conditions are met, the exploitation requires no user interaction. A successful attack can result in complete compromise of the affected system's confidentiality, integrity, and availability.
Root Cause
The root cause of this vulnerability lies in insufficient validation of file paths and file types within the alert logging mechanism. When users configure the "Log alert to a file" action, the application fails to properly restrict:
- The destination file path, allowing writes to arbitrary system locations
- The content type being written, enabling the upload of malicious executable content
This lack of proper input validation and access control allows authenticated attackers to abuse legitimate functionality for malicious purposes.
Attack Vector
The attack is network-based and requires an authenticated attacker with Orion alert management privileges. The exploitation flow involves:
- An attacker authenticates to the Orion Platform with credentials that have alert management rights
- The attacker navigates to the action management interface
- Using the "Log alert to a file" feature, the attacker specifies a malicious file path (such as a web-accessible directory or system location)
- The attacker crafts alert content containing executable code or malicious payloads
- When the alert triggers, the malicious content is written to the specified location
- The attacker accesses or triggers the uploaded malicious file to achieve code execution
The vulnerability allows writing arbitrary content to any file path accessible by the Orion Platform service account, which typically runs with elevated privileges on Windows systems.
Detection Methods for CVE-2021-35244
Indicators of Compromise
- Unusual file creation or modification in web-accessible directories under the Orion Platform installation path
- Alert actions configured to write to unexpected file paths, particularly those containing executable extensions (.aspx, .asp, .exe, .dll)
- Abnormal process execution originating from the Orion Platform service or IIS worker processes
- New or modified files in C:\inetpub\ or SolarWinds installation directories created by the Orion service account
Detection Strategies
- Monitor audit logs for changes to alert action configurations, specifically those involving file logging actions
- Implement file integrity monitoring (FIM) on SolarWinds Orion installation directories and web root folders
- Review Orion Platform audit trails for users creating or modifying alert actions with file logging destinations
- Deploy endpoint detection rules to identify unexpected file writes by the SolarWinds.BusinessLayerHost.exe or related service processes
Monitoring Recommendations
- Enable verbose logging for action management activities within the Orion Platform
- Configure SIEM alerts for file creation events in sensitive directories by Orion-related service accounts
- Regularly audit user accounts with alert management permissions and validate their business need for such access
- Monitor for web shell indicators in web-accessible directories associated with the Orion Platform
How to Mitigate CVE-2021-35244
Immediate Actions Required
- Apply SolarWinds Orion Platform 2020.2.6 Hotfix 3 or upgrade to a later patched version immediately
- Audit all user accounts with alert management rights and remove unnecessary privileges following the principle of least privilege
- Review existing alert actions for suspicious file logging configurations and disable or remove any unauthorized entries
- Implement network segmentation to limit access to the Orion Platform management interface
Patch Information
SolarWinds has released a hotfix to address this vulnerability. Affected organizations should apply Orion Platform 2020.2.6 Hotfix 3 or upgrade to a later supported version. For additional security hardening guidance, refer to the SolarWinds Secure Configuration Guide.
Workarounds
- Restrict alert management permissions to only essential administrative accounts until patching is complete
- Disable the "Log alert to a file" action type if not required for business operations
- Implement application-level firewall rules to limit access to the Orion Platform web interface from trusted networks only
- Monitor and restrict file system permissions for the Orion service account to prevent writes to sensitive directories
# Review users with alert management permissions in Orion Platform
# Navigate to: Settings > All Settings > Accounts > Manage Accounts
# Audit each account's role assignments and remove unnecessary alert management rights
# Verify hotfix installation status
# Check installed version in: Settings > All Settings > Orion Web Console Settings
# Ensure version shows 2020.2.6 HF3 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
