SolarWinds has addressed a set of critical security flaws affecting its Access Rights Manager (ARM) software that could be exploited to access sensitive information or execute arbitrary code.
Of the 13 vulnerabilities, eight received a critical severity rating and a CVSS score of 9.6 out of 10.0. The remaining five vulnerabilities were rated as High severity, with four receiving a CVSS score of 7.6 and one receiving a CVSS score of 8.3.
The most serious disadvantages are listed below –
- CVE-2024-23472 – SolarWinds ARM Directory Traversal Arbitrary file deletion and information disclosure vulnerability
- CVE-2024-28074 – SolarWinds ARM internal deserialization remote code execution vulnerability
- CVE-2024-23469 – Solarwinds ARM discovered a dangerous remote code execution vulnerability
- CVE-2024-23475 – Solarwinds ARM Traversal and Information Disclosure Vulnerability
- CVE-2024-23467 – Solarwinds ARM Traversal remote code execution vulnerability
- CVE-2024-23466 – Solarwinds ARM Directory Traversal Remote Code Execution Vulnerability
- CVE-2024-23470 – Solarwinds ARM UserScriptHumster discovered an unsafe remote command execution vulnerability
- CVE-2024-23471 – Solarwinds ARM CreateFile Directory Traversal Remote code execution vulnerability
Successful exploitation of the above vulnerabilities could allow an attacker to read and delete files and execute code with elevated privileges.
The vulnerabilities were addressed in version 2024.3, released on July 17, 2024, following responsible disclosure as part of the Trend Micro Zero Day Initiative (ZDI).
The development came after the US Cybersecurity and Infrastructure Security Agency (CISA) placed flaw in passing high-severity paths in SolarWinds Serv-U Path (CVE-2024-28995, CVSS score: 8.6) to the catalog of known vulnerabilities (KEV) after reports of active exploitation in the wild.
A network security company has fallen victim to a a major attack on supply chains in 2020 after the update mechanism associated with the Orion Network Management Platform was compromised Russian hackers apt29 distribute malicious code to downstream customers as part of a high-profile cyber espionage campaign.
The breach prompted the US Securities and Exchange Commission (SEC). file lawsuit against SolarWinds and its chief information security officer (CISO) last October, alleging that the company failed to disclose enough material information to investors regarding cybersecurity risks.
However, a significant part of the claims related to the lawsuit was thrown away by the U.S. District Court for the Southern District of New York on July 18, stating that “these allegations do not allege actionable deficiencies in the company’s reporting of the cybersecurity breach” and that they “impermissibly rely on hindsight and conjecture.”
