Three critical severity vulnerabilities that enable unauthenticated exploitation have been fixed by SolarWinds ‘ Access Rights Manager ( ARM ) solution, which fixes five flaws in remote code execution (RCE).
To reduce the impact of insider threats and more, Access Rights Manager enables businesses to manage and audit access rights throughout their IT infrastructure.
Path traversal flaws are the root of CVE-2024-23476 and 23479, respectively, while deserialization of untrusted data is the cause of the third critical flaW,CAVE-2023-40057.
All three can be used by unauthenticated attackers to execute code on systems that have been left unpatched.
SolarWinds has classified the other two bugs (CVE-2024-23477 and CVE- 2024-23478 ) as high-severity problems and they can also be used in RCE attacks.
Unknown researchers working with Trend Micro’s Zero Day Initiative ( ZDI) with  discovered and reported four of the five flaws that SolarWinds fixed this week, with Piotr Bazydo, a researcher working on the same project, being the fifth.
Access Rights Manager 2023.2.3, which was released this Thursday with bug and security fixes, has been fixed by SolarWinds.
In addition to adding the security advisories to the public list on SolarWinds ‘ trust center, the company has not yet disclosed whether any of these vulnerabilities were used in attacks prior to patching.
In October, attackers were able to run code with SYSTEM privileges thanks to SolarWinds, fixed , and three other important Access Rights Manager RCE bugs.
CVE-ID | Title of Vulnerability | Severity |
---|---|---|
CVE-2023-40057 | Unreliable Data Remote Code Execution SolarWinds ARM Deserialization | Critical 9.0 |
CVE-2024-23476 | Execution of Traversal Remote Code for SolarWinds Access Rights Manager Directory | Critical 9.6 |
CVE-2024-23477 | Execution of Traversal Remote Code for SolarWinds Access Rights Manager Directory | 7.9. |
CVE-2024-23478 | Unreliable Data Remote Code Execution SolarWinds ARM Deserialization | 8.0. |
CVE-2024-23479 | Execution of Traversal Remote Code for SolarWinds Access Rights Manager Directory | Critical 9.6 |
According to a SolarWinds spokesperson, Trend Micro’s Security Research Team shared these vulnerabilities with BleepingComputer as part of their ongoing commitment to secure software development and responsible disclosure program.
” We have gotten in touch with customers to make sure they can use the patches we’ve released to fix these vulnerabilities. We appreciate Trend Micro’s partnership because it is essential to responsibly disclose vulnerabilities in order to increase security within our products and the sector as a whole.
SolarWinds supply chain attack in March 2020
The Russian APT29 hacking team infiltrated SolarWinds ‘ internal systems four years ago, injecting malicious code into builds of the company’s Orion IT administration platform that customers downloaded between March 2020 and June 2020.
The Sunburst backdoor could be deployed on thousands of systems thanks to these trojanized builds, but attackers only targeted a much smaller group of organizations for further exploitation.
At the time, SolarWinds served 96 % of Fortune 500 companies worldwide, including well-known firms like Apple, Google, and Amazon, as well as the U.S. Military, Pentagon, State Department, NASA, Postal Service, NOAA, Department of Justice and the Office of the President.
The National Telecommunications and Information Administration (NTIA ), National Institutes of Health, and National Nuclear Security Administration all confirmed that they had been breached after the supply chain attack was made public. These organizations also included the Department of State, Homeland Security, Treasury and Energy.
The Russian Foreign Intelligence Service ( SVR ) was formally charged by the US government with planning the SolarWinds cyberattack in April 2021.
SolarWinds was accused of defrauding investors in October by allegedly failing to inform them of cybersecurity defense concerns prior to the 2020 hack by the U.S. Securities and Exchange Commission ( SEC ).
Update: SolarWinds statement was added on February 16 at 14:31EST.