SolarWinds Orion Platform RenderControl.aspx Vulnerability

November 5, 2021

Overview:

  The SolarWinds Orion Platform is the base platform used by numerous SolarWinds products such as Network Performance Monitor, Virtualization Manager, and Server Configuration Monitor. The platform is designed to seamlessly integrate all Orion-based products into a single interface. The core Orion platform utilizes a web-based interface built using ASP.NET and by default is accessible via HTTP on port 8787

  An insecure deserialization vulnerability has been reported in SolarWinds Orion, the core platform for multiple SolarWinds products. The vulnerability is due to insufficient validation of user-supplied JSON data submitted to the RenderControl.aspx endpoint.

  A remote, authenticated attacker can exploit this vulnerability by sending a crafted request to the target system. Successful exploitation results in remote code execution under the security context of NETWORK SERVICE.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-35215.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.9 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  Several UI elements in SolarWinds Orion Platform utilize controls to render customized ASP.NET pages. To load the content of these custom controls, the application sends a POST request to the endpoint “/Orion/ RenderControl.aspx”. This endpoint reads the type of the control from the Control parameter and the control’s properties from the config parameter. These parameters can be submitted either via the request-URI query or via a JSON object in the HTTP body of the request. When the endpoint processes the request, it first loads the requested control, then sets each of the control’s properties as set in the config parameter. The control parameters are set by invoking the setter function associated with each property.

  An insecure deserialization vulnerability exists in SolarWinds Orion Platform. The vulnerability is due to a lack of sanitization of parameters sent to the RenderControl.aspx endpoint. This endpoint allows loading an arbitrary control, and setting properties of that control to arbitrary values. Due to the fact there is no check to see if a given control property setter method is safe to be invoked, a malicious control, such as an instance of the SolarWinds.Orion.Web.Actions.ActionPluginBaseView class with a crafted ViewContextJsonString property may be sent by an attacker. This results in invocation of the ParseViewContext() method on the malicious property, which in turn calls the JsonConvert.DeserializeObject() method to deserialize the property as SolarWinds.Orion.Core.Models.Actions.Contexts.AlertingActionContext if the EnviromentType property is set to “Alerting”, or as SolarWinds.Orion.Core.Models.Actions.Contexts.ReportingActionContext if the EnviromentType property is set to “Reporting”. Both of these classes inherit from SolarWinds.Orion.Core.Models.Actions.Contexts.ActionContextBase, which can be leveraged to achieve remote code execution using the known gadget chain used in the public exploit for CVE-2021-31474.

  A remote, authenticated attacker can exploit this vulnerability by sending a crafted serialized object to the target server. Successful exploitation can result in arbitrary code execution under the security context of NETWORK SERVICE.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the target server.
  • The attacker must authenticate to the target application.

Trigging Conditions:

  The attacker authenticates to the target application. Next, the attacker sends a crafted HTTP request to the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 8787/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2168 SolarWinds Orion RenderControl Insecure Deserialization

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor supplied patch resolving the vulnerability.
    • Upgrading to a version unaffected by the vulnerability.
    • Detecting and filtering malicious traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory