SolarWinds

SolarWinds has patched five remote code execution (RCE) flaws in its Access Rights Manager (ARM) solution, including three critical severity vulnerabilities that allow unauthenticated exploitation.

Access Rights Manager allows companies to manage and audit access rights across their IT infrastructure to minimize insider threat impact and more.

CVE-2024-23476 and CVE-2024-23479 are due to path traversal weaknesses, while the third critical flaw tracked as CVE-2023-40057 is caused by deserialization of untrusted data.

Unauthenticated attackers can exploit all three to gain code execution on targeted systems left unpatched.

The other two bugs (CVE-2024-23477 and CVE-2024-23478) can also be used in RCE attacks and have been rated by SolarWinds as high-severity issues.

Four of the five flaws patched by SolarWinds this week were found and reported by anonymous researchers working with Trend Micro’s Zero Day Initiative (ZDI), with the fifth one discovered by ZDI vulnerability researcher Piotr Bazydło.

SolarWinds patched the flaws in Access Rights Manager 2023.2.3, which was released this Thursday with bug and security fixes.

The company has yet to share if any of these vulnerabilities have been exploited in attacks before patching and to add the security advisories to the public list available on SolarWinds’ trust center.

SolarWinds also fixed three other critical Access Rights Manager RCE bugs in October, allowing attackers to run code with SYSTEM privileges.

CVE-ID Vulnerability Title Severity
CVE-2023-40057 SolarWinds ARM Deserialization of Untrusted Data Remote Code Execution 9.0 Critical
CVE-2024-23476 SolarWinds Access Rights Manager Directory Traversal Remote Code Execution 9.6 Critical
CVE-2024-23477 SolarWinds Access Rights Manager Directory Traversal Remote Code Execution 7.9 High
CVE-2024-23478 SolarWinds ARM Deserialization of Untrusted Data Remote Code Execution 8.0 High
CVE-2024-23479 SolarWinds Access Rights Manager Directory Traversal Remote Code Execution 9.6 Critical

March 2020 SolarWinds supply-chain attack

Four years ago, the Russian APT29 hacking group infiltrated SolarWinds’ internal systems, injecting malicious code into SolarWinds Orion IT administration platform builds downloaded by customers between March 2020 and June 2020.

These trojanized builds facilitated the deployment of the Sunburst backdoor on thousands of systems, but the attackers selectively targeted a significantly smaller number of organizations for further exploitation.

With a clientele exceeding 300,000 worldwide, SolarWinds at the time serviced 96% of Fortune 500 companies, including high-profile companies like Apple, Google, and Amazon, as well as government organizations like the U.S. Military, Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.

After the supply-chain attack was disclosed, multiple U.S. government agencies confirmed they were breached, including the Departments of State, Homeland Security, Treasury, and Energy, as well as the National Telecommunications and Information Administration (NTIA), the National Institutes of Health, and the National Nuclear Security Administration.

In April 2021, the United States government formally accused the Russian Foreign Intelligence Service (SVR) of orchestrating the SolarWinds cyberattack.

In October, the U.S. Securities and Exchange Commission (SEC) charged SolarWinds with defrauding investors by allegedly failing to notify them of cybersecurity defense issues before the 2020 hack.

Source link