SolarWinds has addressed a set of serious security flaws affecting its Access Rights Manager (ARM) software that could be exploited to access sensitive information or execute arbitrary code.
Of the 13 vulnerabilities, eight are rated as Critical with a CVSS score of 9.6 out of 10. The remaining five weaknesses have been rated as High severity, with four of them scoring 7.6 and one scoring 8.3.
The most severe of the flaws are as follows:
CVE-2024-23472 – Arbitrary deletion and disclosure vulnerability of SolarWinds ARM directory information.
CVE-2024-28074 – Remote code execution vulnerability through internal deserialization of SolarWinds ARM.
CVE-2024-23469 – Remote code execution vulnerability of dangerous method exposed by Solarwinds ARM.
CVE-2024-23475 – Information disclosure and directory traversal vulnerability of Solarwinds ARM.
CVE-2024-23467 – Remote code execution and directory traversal vulnerability of Solarwinds ARM.
CVE-2024-23466 – Remote code execution and directory traversal vulnerability of Solarwinds ARM.
CVE-2024-23470 – Remote execution of dangerous method commands exposed by Solarwinds ARM UserScriptHumster.
CVE-2024-23471 – Remote code execution and file creation directory traversal vulnerability of Solarwinds ARM.
The successful exploitation of these vulnerabilities could allow an attacker to read and delete files, and execute code with elevated privileges.
The flaws were addressed in version 2024.3 released on July 17, 2024, following a responsible disclosure as part of Trend Micro’s Zero Day Initiative (ZDI).
The development comes after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) cataloged a high-severity path traversal flaw in SolarWinds Serv-U Path (CVE-2024-28995, CVSS score: 8.6) in its Known Exploited Vulnerabilities (KEV) catalog due to reports of active exploitation in the wild.
The network security company was a victim of a major supply chain attack in 2020, after the update mechanism associated with its Orion network management platform was compromised by Russian APT29 hackers to distribute malicious code to supply chain customers as part of a high-profile cyber espionage campaign.
The incident led the U.S. Securities and Exchange Commission (SEC) to file a lawsuit against SolarWinds and its Chief Information Security Officer (CISO) last October, alleging that the company did not appropriately disclose material information to investors about cybersecurity risks.
However, much of the lawsuit’s claims were dismissed by the U.S. District Court for the Southern District of New York (SDNY) on July 18, indicating that «these do not plausibly allege actionable deficiencies in the company’s disclosure regarding the cybersecurity breach» and that «they impermissibly rely on hindsight and speculation.»
Vía The Hacker News
