SolarWinds has fixed eight critical vulnerabilities in its Access Rights Manager (ARM) software, six of which allowed attackers to gain remote code execution (RCE) on vulnerable devices.
Access Rights Manager is a critical tool in enterprise environments that helps admins manage and audit access rights across their organization’s IT infrastructure to minimize threat impact.
The RCE vulnerabilities (CVE-2024-23469, CVE-2024-23466, CVE-2024-23467, CVE-2024-28074, CVE-2024-23471, and CVE-2024-23470)—all rated with 9.6/10 severity scores—let attackers without privileges perform actions on unpatched systems by executing code or commands, with or without SYSTEM privileges depending on the exploited flaw.
The company also patched three critical directory traversal flaws (CVE-2024-23475 and CVE-2024-23472) that allow unauthenticated users to perform arbitrary file deletion and obtain sensitive information after accessing files or folders outside of restricted directories.
It also fixed a high-severity authentication bypass vulnerability (CVE-2024-23465) that can let unauthenticated malicious actors gain domain admin access within the Active Directory environment.
SolarWinds patched the flaws (all reported through Trend Micro’s Zero Day Initiative) in Access Rights Manager 2024.3, released on Wednesday with bug and security fixes.
The company has yet to reveal whether proof-of-concept exploits for these flaws are available in the wild or whether any of them have been exploited in attacks.
CVE-ID | Vulnerability Title |
---|---|
CVE-2024-23469 | SolarWinds ARM Exposed Dangerous Method Remote Code Execution |
CVE-2024-23466 | SolarWinds ARM Directory Traversal Remote Code Execution Vulnerability |
CVE-2024-23467 | SolarWinds ARM Directory Traversal Remote Code Execution Vulnerability |
CVE-2024-28074 | SolarWinds ARM Internal Deserialization Remote Code Execution Vulnerability |
CVE-2024-23471 | SolarWinds ARM CreateFile Directory Traversal Remote Code Execution Vulnerability |
CVE-2024-23470 | SolarWinds ARM UserScriptHumster Exposed Dangerous Method RCE Vulnerability |
CVE-2024-23475 | SolarWinds ARM Directory Traversal and Information Disclosure Vulnerability |
CVE-2024-23472 | SolarWinds ARM Directory Traversal Arbitrary File Deletion and Information Disclosure |
CVE-2024-23465 | SolarWinds ARM ChangeHumster Exposed Dangerous Method Authentication Bypass |
In February, the company patched five other RCE vulnerabilities in the Access Rights Manager (ARM) solution, three of which were rated critical because they allowed unauthenticated exploitation.
Four years ago, SolarWinds’ internal systems were breached by the Russian APT29 hacking group. The threat group injected malicious code into Orion IT administration platform builds downloaded by customers between March 2020 and June 2020.
With over 300,000 customers worldwide at the time, SolarWinds serviced 96% of Fortune 500 companies, including high-profile tech companies like Apple, Google, and Amazon, and government organizations like the U.S. Military, Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.
However, even though the Russian state hackers used the trojanized updates to deploy the Sunburst backdoor on thousands of systems, they only targeted a significantly smaller number of Solarwinds customers for further exploitation.
After the supply-chain attack was disclosed, multiple U.S. government agencies confirmed their networks were breached in the campaign. These included the Departments of State, Homeland Security, Treasury, and Energy, as well as the National Telecommunications and Information Administration (NTIA), the National Institutes of Health, and the National Nuclear Security Administration.
In April 2021, the U.S. government formally accused the Russian Foreign Intelligence Service (SVR) of orchestrating the 2020 Solarwinds attack, and the U.S. Securities and Exchange Commission (SEC) charged SolarWinds in October 2023 for failing to notify investors of cybersecurity defense issues before the hack.