SB2021110223 - Privilege escalation in SolarWinds Network Performance Monitor

Description

This security bulletin contains information about 1 vulnerability.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-35225)

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to each authenticated Orion user in the MSP (Managed Service Provider) environment can view and browse all NetPath Services from all MSP's customers. A remote authenticated attacker can have a limited insight into other customers' infrastructure and cause potential data cross-contamination.

Remediation

Install update from vendor's website.

References

• https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm
• https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35225
• https://support.solarwinds.com/SuccessCenter/s/article/NPM-2020-2-6-Hotfix-2?language=en_US