SolarWinds has released updates to address two vulnerabilities in its Access Rights Manager (ARM) software, used by organizations to manage and audit access rights across IT infrastructure.
The first flaw, designated CVE-2024-28991, is a critical deserialization of untrusted data flaw that could lead to remote code execution. Although exploitation of the vulnerability requires authentication, the authentication mechanism can be bypassed, thus eliminating this requirement.
The second flaw, designated CVE-2024-29889, is a medium-severity hardcoded credentials flaw that can be leveraged by threat actors to access the RabbitMQ management console.
So far, SolarWinds is unaware of any active exploitation of the vulnerabilities or whether exploit code is publicly available. The company is encouraging all users to install ARM version 2024.3.1 as soon as possible to mitigate any potential threats.
Source: The Hacker News
Analysis
In August 2024, SolarWinds fixed a critical hardcoded credentials vulnerability in its Web Help Desk (WHD) software, used by organizations to efficiently accept, track, and respond to support requests.
It’s possible SolarWinds reviewed the code of its other products for the same type of potentially exploitable use of hardcoded credentials, leading to the discovery of CVE-2024-29889. Furthermore, ARM’s code has likely been subjected to increased scrutiny due to the discovery of ten vulnerabilities in the product in July 2024.
While SolarWinds is not yet aware of any active exploitation of CVE-2024-28991 or CVE-2024-29889, threat actors have recently exploited vulnerabilities in other SolarWinds solutions.
For example, in June 2024, a high-severity directory transversal vulnerability in SolarWinds’ Serv-U was quickly exploited after proof-of-concept (PoC) code was publicly released by an overly eager cybersecurity company before admins had the chance to patch their systems.
You may also recall that SolarWinds was the victim of a widely reported breach in 2020 when hackers working for Russia’s Foreign Intelligence Service (SVR) infiltrated SolarWinds' internal systems and injected malicious code into SolarWinds Orion builds.
These trojanized builds enabled the deployment of the Sunburst backdoor on thousands of systems, which were downloaded by customers between March 2020 and June 2020. This supply chain attack ended up impacting 96% of Fortune 500 companies, as well as many U.S. government departments.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like SolarWinds ARM. Field Effect MDR users are automatically notified if vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends users of affected SolarWinds ARM versions update to the latest version as soon as possible, in accordance with the advisory.
Related Articles
