SolarWinds Patches Multiple Critical Vulnerabilities in Access Rights Manager

SolarWinds, a leading provider of IT management software, has issued an urgent security advisory regarding multiple critical vulnerabilities discovered in its Access Rights Manager (ARM) product. These flaws expose organizations to a range of severe threats, including unauthorized access, data breaches, and potentially complete system takeover.

The vulnerabilities, many of which carry the highest severity rating (CVSS 9.6), affect the core functionality of the Access Rights Manager. This software is crucial for many businesses, as it controls and audits access rights across their IT infrastructure, aiming to mitigate insider threats and ensure data security. The flaws were discovered and reported by researchers working with Trend Micro’s Zero Day Initiative (ZDI). Below are the key details of each vulnerability:

• CVE-2024-23475 (CVSS 9.6): This directory traversal and information disclosure vulnerability allows unauthenticated users to delete arbitrary files and access sensitive information.
• CVE-2024-23469 (CVSS 9.6): A remote code execution (RCE) vulnerability that permits unauthenticated users to execute commands with SYSTEM privileges.
• CVE-2024-23472 (CVSS 9.6): Another directory traversal vulnerability enabling authenticated users to read and delete files arbitrarily.
• CVE-2024-23465 (CVSS 8.3): This authentication bypass flaw allows unauthenticated users to gain domain admin access within Active Directory environments.
• CVE-2024-23466 (CVSS 9.6): An RCE vulnerability due to directory traversal, enabling unauthenticated users to perform actions with SYSTEM privileges.
• CVE-2024-28993 (CVSS 7.6): Directory traversal and information disclosure vulnerability allowing arbitrary file deletion and leakage of sensitive data.
• CVE-2024-23467 (CVSS 9.6): Another severe RCE vulnerability allowing unauthenticated remote code execution.
• CVE-2024-28992 (CVSS 7.6): Similar to CVE-2024-28993, this vulnerability permits arbitrary file deletion and information leakage.
• CVE-2024-28074 (CVSS 9.6): An internal deserialization RCE vulnerability, a previously identified flaw that was not completely fixed, allowing exploitation via a different method.
• CVE-2024-23474 (CVSS 7.6): A directory traversal vulnerability resulting in arbitrary file deletion and information disclosure.
• CVE-2024-23468 (CVSS 7.6): Another directory traversal and information disclosure vulnerability allowing unauthorized file deletion and data leakage.
• CVE-2024-23471 (CVSS 9.6): An RCE vulnerability enabling authenticated users to abuse a SolarWinds service for remote code execution.
• CVE-2024-23470 (CVSS 9.6): A pre-authentication RCE vulnerability allowing unauthenticated users to run commands and executables.

Any organization using SolarWinds Access Rights Manager is potentially at risk. While SolarWinds has not received reports of these vulnerabilities being exploited in the wild, the severity of the flaws and the potential for widespread impact make immediate action crucial.

SolarWinds has released Access Rights Manager 2024.3, which includes patches for all identified vulnerabilities. All organizations must use ARM update to this version immediately to protect their systems and data.