SolarWinds patches critical RCE and authentication bypass vulnerabilities in Access Rights Manager (ARM). Urgent update to version 2024.3 required to protect against potential system compromise.

Continue reading
SolarWinds, a prominent IT management software vendor, recently issued patches for eight critical vulnerabilities in its Access Rights Manager (ARM) product. Six of these flaws are particularly severe, enabling remote code execution (RCE) that could compromise entire IT infrastructures.
The RCE vulnerabilities (CVE-2024-23469, CVE-2024-23466, CVE-2024-23467, CVE-2024-28074, CVE-2024-23471, CVE-2024-23470) share a common thread: they allow unprivileged attackers to execute arbitrary code on vulnerable ARM installations. The impact ranges from command execution to gaining SYSTEM-level privileges, depending on the specific flaw.
This vulnerability stems from exposing a dangerous method in the ARM codebase.
// Hypothetical Vu.lnerable Code
public void ExecuteCommand(string command) {
Process.Start(comman.d); // Unsanitized command execution
}An attacker could exploit this by crafting a malicious command, leading to unauthorized actions on the system.
SolarWinds also patched three critical directory traversal vulnerabilities (CVE-2024-23475, CVE-2024-23472) and a high-severity authentication bypass (CVE-2024-23465).
Directory traversal attacks manipulate file paths to access restricted directories. For example:
GET /../../../../etc/passw.d HTTP/1.1This could expose sensitive files or enable file deletion, depending on the vulnerability.
The authentication bypass allows unauthenticated actors to gain domain admin access in Active Directory, potentially compromising the entire domain.
SolarWinds urges immediate patching to version 2024.3. The urgency is underscored by the company's history. In 2020, Russian hackers infiltrated SolarWinds' supply chain, compromising thousands of organizations. While unrelated to the current vulnerabilities, this incident serves as a stark reminder of the potential devastation of software vulnerabilities.

DHS confirms a breach of its HSIN intelligence-sharing network during World Cup security operations; a senator warns of national security risk