SolarWinds has patched three remote code execution (RCE) bugs in its Access Rights Manager software.
The three critical-rated bugs were discovered and reported to SolarWinds by the Zero Day Initiative (ZDI) in June, and the two organisations disclosed the bugs on October 19.
CVE-2023-35182 is a deserialisation bug. “The specific flaw exists within the createGlobalServerChannelInternal method,” ZDI’s notice says.
“The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data.
“An attacker can leverage this vulnerability to execute code in the context of SYSTEM.”
CVE-2023-35185 is a bug in the software’s OpenFile method. A failure to properly validate user-supplied file paths gives attackers a path to RCE, ZDI said.
The third bug, CVE-2023-35187, is also a file path validation failure, this time in the OpenClientUpdateFile method. Once again, it provides attackers with a path to RCE.
In its update, SolarWinds has also patched eight vulnerabilities with a CVSS score between 7.8 and 8.8, all reported by ZDI, including deserialisation, improper default permission, and directory traversal bugs.
SolarWinds suffered a huge data breach in 2020, first identified by FireEye.