SolarWinds fixes critical RCE bugs in access rights audit solution

Original Source: Bleeping Computer

SolarWinds has patched five remote code execution (RCE) flaws in its Access Rights Manager (ARM) solution, including three critical severity vulnerabilities that allow unauthenticated exploitation.

Access Rights Manager allows companies to manage and audit access rights across their IT infrastructure to minimize insider threat impact and more.

CVE-2024-23476 and CVE-2024-23479 are due to path traversal weaknesses, while the third critical flaw tracked as CVE-2023-40057 is caused by deserialization of untrusted data.

Unauthenticated attackers can exploit all three to gain code execution on targeted systems left unpatched.

The other two bugs (CVE-2024-23477 and CVE-2024-23478) can also be used in RCE attacks and have been rated by SolarWinds as high-severity issues.

Four of the five flaws patched by SolarWinds this week were found and reported by anonymous researchers working with Trend Micro's Zero Day Initiative (ZDI), with the fifth one discovered by ZDI vulnerability researcher Piotr Bazydło.

SolarWinds patched the flaws in Access Rights Manager 2023.2.3, which was released this Thursday with bug and security fixes.

The company has not received any reports of these vulnerabilities being exploited in the wild, a SolarWinds spokesperson told BleepingComputer.

CVE-ID Vulnerability Title Severity
CVE-2023-40057 SolarWinds ARM Deserialization of Untrusted Data Remote Code Execution 9.0 Critical
CVE-2024-23476 SolarWinds Access Rights Manager Directory Traversal Remote Code Execution 9.6 Critical
CVE-2024-23477 SolarWinds Access Rights Manager Directory Traversal Remote Code Execution 7.9 High
CVE-2024-23478 SolarWinds ARM Deserialization of Untrusted Data Remote Code Execution 8.0 High
CVE-2024-23479 SolarWinds Access Rights Manager Directory Traversal Remote Code Execution 9.6 Critical

"These vulnerabilities were disclosed by Trend Micro’s Security Research Team, which collaborates with SolarWinds as part of our responsible disclosure program and our ongoing commitment to secure software development," the spokesperson told BleepingComputer.

"We have contacted customers to ensure they can take the steps to address these vulnerabilities by applying the patches we have released. Responsible disclosure of vulnerabilities is key to improving security within our products and the industry at large and we thank Trend Micro for their partnership."

SolarWinds also fixed three other critical Access Rights Manager RCE bugs in October, allowing attackers to run code with SYSTEM privileges.

March 2020 SolarWinds supply-chain attack

Four years ago, the Russian APT29 hacking group infiltrated SolarWinds' internal systems, injecting malicious code into SolarWinds Orion IT administration platform builds downloaded by customers between March 2020 and June 2020.

These trojanized builds facilitated the deployment of the Sunburst backdoor on thousands of systems, but the attackers selectively targeted a significantly smaller number of organizations for further exploitation.

With a clientele exceeding 300,000 worldwide, SolarWinds at the time serviced 96% of Fortune 500 companies, including high-profile companies like Apple, Google, and Amazon, as well as government organizations like the U.S. Military, Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.

After the supply-chain attack was disclosed, multiple U.S. government agencies confirmed they were breached, including the Departments of State, Homeland Security, Treasury, and Energy, as well as the National Telecommunications and Information Administration (NTIA), the National Institutes of Health, and the National Nuclear Security Administration.

In April 2021, the United States government formally accused the Russian Foreign Intelligence Service (SVR) of orchestrating the SolarWinds cyberattack.

In October, the U.S. Securities and Exchange Commission (SEC) charged SolarWinds with defrauding investors by allegedly failing to notify them of cybersecurity defense issues before the 2020 hack.

Update February 16, 14:31 EST: Added SolarWinds statement.

Source URL:

Author: Sergiu Gatlan

Leave a Comment