Hard-Coded Credentials (CVE-2024-23473), RCE (CVE-2024-28075) Flaws Patched in SolarWinds ARM

CVE-2024-28075 & CVE-2024-23473

SolarWinds, a leading provider of IT management software, has taken swift action to address critical vulnerabilities in its Access Rights Manager (ARM) solution, patching two major flaws that could expose sensitive data and grant unauthorized access to threat actors.

CVE-2024-28075

The vulnerabilities, tracked as CVE-2024-28075 and CVE-2024-23473, were discovered by ZDI vulnerability researcher Piotr Bazydło and reported to SolarWinds. The flaws, classified as high-severity, could enable remote code execution and bypass authentication, granting malicious actors a foothold within targeted networks.

The first vulnerability, identified as CVE-2024-28075 and rated 9.0 on the CVSS scale, involved the deserialization of untrusted data, which could lead to remote code execution. This flaw required an authenticated user and could potentially allow attackers to execute arbitrary code on the system by abusing the SolarWinds service.

The second flaw, CVE-2024-23473 with a CVSS score of 8.6, was an authentication bypass vulnerability due to hard-coded credentials within the ARM software. This particular vulnerability granted access to the RabbitMQ management console, an essential component for handling message-queue communications within networks, which could be exploited to gain unauthorized control over network operations.

The patches were included in the latest release of Access Rights Manager version 2023.2.4, which was rolled out this Thursday. The update not only addressed these vulnerabilities but also included various bug fixes and security improvements.

While SolarWinds claims no evidence of active exploitation in the wild, the potential impact of these vulnerabilities underscores the importance of proactive security measures. Organizations relying on ARM for access management are advised to prioritize patching, conduct regular security assessments, and implement robust monitoring and detection capabilities to identify and respond to potential threats.