Patch Up or Pack Up: SolarWinds Seals Critical Security Gaps Amid RCE Flare-Up

Just patched: SolarWinds ARM’s ‘come one, come all’ security flaws. Unauthenticated users could’ve waltzed through five RCE vulnerabilities, three with critical RSVPs. Update or face the hack-tastic music!

Hot Take:

Looks like SolarWinds is back in the cybersecurity spotlight, and not for winning any awards! They’ve patched a quintet of vulnerabilities that were basically leaving the digital door wide open for uninvited guests. It’s like they’ve been running a five-star hotel for hackers with complimentary RCE (Remote Code Execution) amenities. But don’t worry, they’ve finally changed the locks—let’s hope they keep track of the keys this time.

Key Points:

  • SolarWinds patched up five RCE bugs in its Access Rights Manager tool, including three critical ones that didn’t even require a hacker’s ID to exploit.
  • The critical flaws were caused by path traversal and deserialization issues, which essentially gave hackers the VIP pass to the system’s backstage.
  • Four of these digital gremlins were caught by the cybersecurity ghostbusters at Trend Micro’s Zero Day Initiative.
  • The patched version, Access Rights Manager 2023.2.3, is like the new bouncer at the club, kicking out unwelcome code.
  • While the company’s lips are sealed on whether these flaws were exploited in the wild, they did get smacked by the SEC for being tight-lipped about their cyber defenses in the past.
Title: SolarWinds Access Rights Manager (ARM) Directory Traversal Remote Code Execution Vulnerability
Cve id: CVE-2024-23476
Cve state: PUBLISHED
Cve assigner short name: SolarWinds
Cve date updated: 02/15/2024
Cve description: The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve the Remote Code Execution.

Title: SolarWinds Access Rights Manager (ARM) Directory Traversal Remote Code Execution Vulnerability
Cve id: CVE-2024-23479
Cve state: PUBLISHED
Cve assigner short name: SolarWinds
Cve date updated: 02/15/2024
Cve description: SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution.

Title: SolarWinds Access Rights Manager (ARM) Deserialization of Untrusted Data Remote Code Execution
Cve id: CVE-2024-23478
Cve state: PUBLISHED
Cve assigner short name: SolarWinds
Cve date updated: 02/15/2024
Cve description: SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service, resulting in remote code execution.

Title: SolarWinds Access Rights Manager (ARM) Deserialization of Untrusted Data Remote Code Execution
Cve id: CVE-2023-40057
Cve state: PUBLISHED
Cve assigner short name: SolarWinds
Cve date updated: 02/15/2024
Cve description: The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution.

Title: SolarWinds Access Rights Manager (ARM) Directory Traversal Remote Code Execution Vulnerability
Cve id: CVE-2024-23477
Cve state: PUBLISHED
Cve assigner short name: SolarWinds
Cve date updated: 02/15/2024
Cve description: The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution.

Need to know more?

The Patch Parade Marches On

It's patching season at SolarWinds HQ, and they've just rolled out a fresh batch of fixes faster than you can say "access rights." With names like CVE-2024-23476 and his buddy CVE-2023-40057, these vulnerabilities sound like droids from a budget sci-fi, but they're no laughing matter. They've been lurking in the shadows, ready to leap out and scream "Boo!" at any unpatched systems.

Who Ya Gonna Call? Bug Busters!

Big shoutout to the anonymous digital detectives and one Piotr Bazydło from ZDI, who probably wear capes and surf the web with magnifying glasses. They sniffed out these cyber critters and sent them packing before they could throw a rave in your network.

Throwback: The Supply-Chain Shakedown

Remember the good ol' days of 2020 when the only thing we had to worry about was a global pandemic? SolarWinds sure does. They were busy dealing with a supply-chain attack that spread faster than your auntie's gossip, putting a spotlight on their client list, which reads like a Who's Who of Fortune 500 and top-secret government agencies. Russian hackers had a field day, and the U.S. government played the blame game with the SVR. Good times.

SEC Slap on the Wrist

As if the hack wasn't embarrassing enough, the SEC decided to give SolarWinds a stern talking-to, wagging their finger for not whispering sweet nothings about their cybersecurity weaknesses into investors' ears. It's like getting caught with your pants down and then being told you're wearing ugly underwear.

And In Conclusion...

SolarWinds is working hard to buff out the scratches on their armor, but it's like playing Whack-A-Mole with cyber vulnerabilities. For now, they've whacked these moles good, but who knows when the next head will pop up? Stay tuned for the next episode of "As the Cyber World Turns."

Tags: access rights management, critical severity vulnerabilities, deserialization attack, path traversal vulnerability, Remote Code Execution, SolarWinds, Zero Day Initiative