CVE-2021-35234: 
SolarWinds Platform vulnerability analysis and mitigation

CVE-2021-35234 is a privilege escalation vulnerability discovered in SolarWinds Orion Platform's Network Performance Monitor. The vulnerability was disclosed on December 20, 2021, affecting Orion Platform versions 2020.2.6 HF2 and earlier. The flaw exists in multiple exposed dangerous functions within Orion Core that allow for read-only SQL injection, enabling an attacker with low-user privileges to steal password hashes and password salt information (SolarWinds Advisory).

The vulnerability exists within multiple functions of the SolarWinds.Orion.Core.Actions.dll module, including TextToSpeech, PlaySound, CustomStatus, CustomProperty, WriteToEventLog, Email, and SendSyslog classes. A crafted request can trigger execution of SQL queries composed from user-supplied strings. The vulnerability has received a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Authentication is required to exploit this vulnerability (ZDI Advisory).

An attacker who successfully exploits this vulnerability can escalate privileges to the level of an application administrator. This elevated access allows the attacker to steal password hashes and password salt information, potentially compromising the security of the entire system (NVD).

SolarWinds has released Orion Platform 2020.2.6 HF3 to address this vulnerability. For organizations unable to immediately apply the hotfix, a workaround is available by revoking 'Alert Management' and 'Report Management' rights for non-admin users. This can be done by logging into the Orion Web Console, navigating to Settings > All Settings > Manage Accounts, and ensuring both Allow Alert Management Rights and Allow Report Management Rights options are set to No for all non-admin users (SecMaster).