Critical Bug Fixes: SolarWinds Upgrades Access Rights Software

Critical Bug Fixes: SolarWinds Upgrades Access Rights Software

Executive Summary

SolarWinds has addressed eight critical vulnerabilities in its Access Rights Manager (ARM) software, six of which allowed attackers to gain remote code execution (RCE) on affected systems.

Access Rights Manager is a vital tool for enterprises, enabling administrators to manage and audit access rights across their IT infrastructure to reduce potential threats.

The RCE vulnerabilities (CVE-2024-23469, CVE-2024-23466, CVE-2024-23467, CVE-2024-28074, CVE-2024-23471, and CVE-2024-23470)—each with a severity score of 9.6/10—could enable attackers to execute code or commands on unpatched systems, potentially with or without SYSTEM privileges, depending on the specific flaw exploited.

Additionally, SolarWinds has resolved three critical directory traversal vulnerabilities (CVE-2024-23475 and CVE-2024-23472) that permitted unauthenticated users to delete arbitrary files and access sensitive information by navigating outside of restricted directories.

A high-severity authentication bypass vulnerability (CVE-2024-23465) was also fixed, which could have allowed unauthenticated attackers to gain domain admin access within an Active Directory environment.

These vulnerabilities were patched in Access Rights Manager version 2024.3, released on Wednesday, which included various bug and security fixes. All vulnerabilities were reported through Trend Micro's Zero Day Initiative.

Failure to upgrade the software could leave systems exposed to significant risks, as attackers could exploit these vulnerabilities to gain unauthorized access, execute arbitrary code, and compromise sensitive information. SolarWinds has not yet confirmed if proof-of-concept exploits are available or if any of the vulnerabilities have been exploited in the wild.

References

https://www.solarwinds.com/trust-center/security-advisories

Did you find this article valuable?

Support The Intel Chronicles by becoming a sponsor. Any amount is appreciated!