SolarWinds Patches Critical RCE Vulnerability in Access Rights Manager

solarwinds

Recently SolarWinds has rolled out a critical security patch to fix two vulnerabilities in its Access Rights Manager (ARM) software. Among these, the most pressing issue is a flaw that could potentially allow attackers to execute remote code. The flaw, tracked as CVE-2024-28991, has been rated 9.0 out of 10 on the CVSS (Common Vulnerability Scoring System), highlighting its severe nature. It represents a significant threat, as it allows for remote code execution (RCE) if successfully exploited.

The Deserialization Threat: CVE-2024-28991

The critical vulnerability centers around the deserialization of untrusted data, a common yet dangerous flaw in software security. In its advisory, SolarWinds explained, “SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability. If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution.” This means that while the attacker would need to be authenticated, the flaw could be abused to run arbitrary code, potentially compromising the entire system.

The vulnerability is significant enough that it earned a high CVSS score of 9.9 from the Trend Micro Zero Day Initiative (ZDI), a leading organization focused on identifying and reporting zero-day vulnerabilities. Piotr Bazydlo, a security researcher with ZDI, was credited with discovering the flaw on May 24, 2024.

At the core of this issue is a class within ARM called JsonSerializationBinder, which lacks proper validation of user-supplied data. This weakness exposes the software to deserialization attacks that could lead to remote code execution. In essence, attackers can craft malicious data inputs that are deserialized (converted back into a more readable format), and through this process, execute unauthorized code on the system.

While the initial requirement for authentication provides a layer of protection, ZDI warns that this mechanism can potentially be bypassed, elevating the severity of the threat. “Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed,” said the ZDI, adding an extra layer of urgency to patching the system.

Medium-Severity Vulnerability: Hard-Coded Credentials

In addition to the critical flaw, SolarWinds has also addressed a medium-severity vulnerability in the same ARM software, tracked as CVE-2024-28990. With a CVSS score of 6.3, this issue involves a hard-coded credential that could grant unauthorized access to the RabbitMQ management console.

RabbitMQ is a popular open-source messaging broker used in a variety of applications to manage message queuing and delivery. In this particular case, the use of hard-coded credentials is a significant oversight in security best practices. If attackers successfully exploit this flaw, they could gain unauthorized access, manipulate settings, or carry out further attacks through the management console.

Though this vulnerability is rated less severe than CVE-2024-28991, it still poses a substantial risk to systems that remain unpatched. SolarWinds has advised all users to update to ARM version 2024.3.1, which contains fixes for both vulnerabilities.

cyber crime

No Known Exploitation, but Immediate Action Urged

As of now, there is no evidence to suggest that either of these vulnerabilities has been actively exploited in the wild. However, the nature of both flaws makes them attractive targets for cybercriminals. Exploits involving deserialization of untrusted data are notoriously dangerous because they enable attackers to execute arbitrary code with potentially devastating consequences. Meanwhile, hard-coded credentials offer an easily exploitable entry point for unauthorized access.

SolarWinds has urged users to update their software to the latest version immediately to mitigate the risk of potential attacks. “Users are recommended to update to the latest version as soon as possible to safeguard against potential threats,” the advisory stated.

Rising Cybersecurity Concerns: Other Vulnerabilities Highlight Growing Risks

The timing of SolarWinds’ disclosure coincides with news of other severe vulnerabilities being patched in widely used devices and software. For example, D-Link has recently addressed three critical vulnerabilities affecting several of its popular routers, including the DIR-X4860, DIR-X5460, and COVR-X1870 models. These flaws, tracked as CVE-2024-45694, CVE-2024-45695, and CVE-2024-45697, each carry a CVSS score of 9.8 and could allow attackers to remotely execute arbitrary code or system commands.

The presence of these vulnerabilities emphasizes the critical need for users and organizations to remain vigilant and proactive when it comes to cybersecurity. As more businesses and individuals rely on networked devices and cloud services, the potential attack surface continues to expand. This means that even a single overlooked flaw could result in wide-scale compromises or data breaches.

Conclusion

The recent security patches from SolarWinds for its Access Rights Manager software address two critical issues that could have far-reaching implications if left unresolved. The remote code execution vulnerability (CVE-2024-28991) poses a particularly high risk, given its severity and the possibility of authentication bypass. The presence of hard-coded credentials in ARM (CVE-2024-28990) further underlines the importance of following security best practices, such as avoiding static credentials and ensuring proper data validation.

While there is currently no evidence of active exploitation, organizations using ARM should waste no time in updating to the latest version to protect their systems from potential attacks. The lesson is clear: proactive patching and adherence to security protocols are essential in defending against the ever-evolving landscape of cybersecurity threats.

Follow us on x twitter (Twitter) for real time updates and exclusive content.

Scroll to Top