SolarWinds has patched five remote code execution (RCE) flaws in its Access Rights Manager (ARM) solution, including three critical severity vulnerabilities that allow unauthenticated exploitation.
Access Rights Manager allows companies to manage and audit access rights across their IT infrastructure to minimize insider threat impact and more.
Unauthenticated attackers can exploit all three to gain code execution on targeted systems left unpatched.
The other two bugs (CVE-2024-23477 and CVE-2024-23478) can also be used in RCE attacks and have been rated by SolarWinds as high-severity issues.
Four of the five flaws patched by SolarWinds this week were found and reported by anonymous researchers working with Trend Micro’s Zero Day Initiative (ZDI), with the fifth one discovered by ZDI vulnerability researcher Piotr Bazydło.
The company has not received any reports of these vulnerabilities being exploited in the wild, a SolarWinds spokesperson told BleepingComputer.
CVE-ID | Vulnerability Title | Severity |
---|---|---|
CVE-2023-40057 | SolarWinds ARM Deserialization of Untrusted Data Remote Code Execution | 9.0 Critical |
CVE-2024-23476 | SolarWinds Access Rights Manager Directory Traversal Remote Code Execution | 9.6 Critical |
CVE-2024-23477 | SolarWinds Access Rights Manager Directory Traversal Remote Code Execution | 7.9 High |
CVE-2024-23478 | SolarWinds ARM Deserialization of Untrusted Data Remote Code Execution | 8.0 High |
CVE-2024-23479 | SolarWinds Access Rights Manager Directory Traversal Remote Code Execution | 9.6 Critical |
“These vulnerabilities were disclosed by Trend Micro’s Security Research Team, which collaborates with SolarWinds as part of our responsible disclosure program and our ongoing commitment to secure software development,” the spokesperson told BleepingComputer.
“We have contacted customers to ensure they can take the steps to address these vulnerabilities by applying the patches we have released. Responsible disclosure of vulnerabilities is key to improving security within our products and the industry at large and we thank Trend Micro for their partnership.”
SolarWinds also fixed three other critical Access Rights Manager RCE bugs in October, allowing attackers to run code with SYSTEM privileges.
March 2020 SolarWinds supply-chain attack
These trojanized builds facilitated the deployment of the Sunburst backdoor on thousands of systems, but the attackers selectively targeted a significantly smaller number of organizations for further exploitation.
With a clientele exceeding 300,000 worldwide, SolarWinds at the time serviced 96% of Fortune 500 companies, including high-profile companies like Apple, Google, and Amazon, as well as government organizations like the U.S. Military, Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.
After the supply-chain attack was disclosed, multiple U.S. government agencies confirmed they were breached, including the Departments of State, Homeland Security, Treasury, andEnergy, as well as the National Telecommunications and Information Administration (NTIA), the National Institutes of Health, and the National Nuclear Security Administration.
In April 2021, the United States government formally accused the Russian Foreign Intelligence Service (SVR) of orchestrating the SolarWinds cyberattack.
In October, the U.S. Securities and Exchange Commission (SEC) charged SolarWinds with defrauding investors by allegedly failing to notify them of cybersecurity defense issues before the 2020 hack.
Update February 16, 14:31 EST: Added SolarWinds statement.