SolarWinds Releases Patches for High-Severity Vulnerabilities in Access Rights Manager (ARM)

SolarWinds, a leading provider of IT management software, has recently addressed eight high-severity vulnerabilities in its Access Rights Manager (ARM). Notably, this release includes patches for three remote code execution (RCE) flaws that can be exploited without authentication. These vulnerabilities were identified by Sina Kheirkhah of the Summoning Team and reported to ZDI, a leading vulnerability research organization.

Identification and Reporting of Remote Code Execution Flaws

The three RCE flaws, tracked as CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187, have been disclosed by SolarWinds. These vulnerabilities were brought to the attention of SolarWinds by Sina Kheirkhah, who reported them to ZDI. These vulnerabilities are particularly concerning as they allow remote, unauthenticated attackers to execute arbitrary code with system privileges.

Exploitation and Potential Impact

The ability for attackers to execute arbitrary code with system privileges is alarming. Exploiting these vulnerabilities can lead to unauthorized access, data breaches, and further compromise of the targeted systems. This potential impact emphasizes the urgency of patching and updating the affected systems.

Severity Assessment and CVSS Scores

While SolarWinds labels these vulnerabilities as high-severity with a Common Vulnerability Scoring System (CVSS) score of 8.8, ZDI classifies them as critical with a CVSS score of 9.8. This disparity in severity assessment underscores the critical nature of these vulnerabilities and emphasizes the need for immediate action.

Lack of Proper Validation of User-Supplied Data

Among the identified vulnerabilities, one flaw stands out as a high-severity issue related to the lack of proper validation of user-supplied data in the ExecuteAction method. Tracked as CVE-2023-35184 with a CVSS score of 8.8, this vulnerability can also be exploited without authentication, further increasing its potential impact.

SolarWinds acknowledges two additional RCE vulnerabilities addressed in the Access Rights Manager update. However, authentication is required to exploit these vulnerabilities, mitigating their potential impact to some extent.

Explanation of the Bug’s Existence

The root cause behind these vulnerabilities lies in incorrect permissions set for files and folders created by the Access Rights Manager installer. These improper permissions inadvertently create opportunities for attackers to exploit the system.

Patching and Mitigation

To address these vulnerabilities, SolarWinds has promptly released Access Rights Manager 2023.2.1, which includes comprehensive patches for all identified flaws. Users are strongly urged to update their software immediately to ensure protection against potential exploitation.

Lack of Evidence of Exploitation

While SolarWinds has diligently addressed these vulnerabilities, there is no evidence thus far of any active exploitation. However, the absence of reported incidents does not diminish the importance of promptly patching and keeping software up-to-date.

SolarWinds’ swift response in releasing patches for the identified vulnerabilities in Access Rights Manager demonstrates its commitment to addressing potential security risks. The criticality of these vulnerabilities, as highlighted by ZDI, reinforces the need for users to update their software without delay. Ensuring the security of IT management systems is crucial in safeguarding sensitive data and preventing unauthorized access. By staying vigilant and proactive in patching and maintaining software, organizations can reduce the risk of compromise and enhance their overall cybersecurity posture.

Explore more

Can Federal Lands Power the Future of AI Infrastructure?

I’m thrilled to sit down with Dominic Jainy, an esteemed IT professional whose deep knowledge of artificial intelligence, machine learning, and blockchain offers a unique perspective on the intersection of technology and federal policy. Today, we’re diving into the US Department of Energy’s ambitious plan to develop a data center at the Savannah River Site in South Carolina. Our conversation

Can Your Mouse Secretly Eavesdrop on Conversations?

In an age where technology permeates every aspect of daily life, the notion that a seemingly harmless device like a computer mouse could pose a privacy threat is startling, raising urgent questions about the security of modern hardware. Picture a high-end optical mouse, designed for precision in gaming or design work, sitting quietly on a desk. What if this device,

Building the Case for EDI in Dynamics 365 Efficiency

In today’s fast-paced business environment, organizations leveraging Microsoft Dynamics 365 Finance & Supply Chain Management (F&SCM) are increasingly faced with the challenge of optimizing their operations to stay competitive, especially when manual processes slow down critical workflows like order processing and invoicing, which can severely impact efficiency. The inefficiencies stemming from outdated methods not only drain resources but also risk

Structured Data Boosts AI Snippets and Search Visibility

In the fast-paced digital arena where search engines are increasingly powered by artificial intelligence, standing out amidst the vast online content is a formidable challenge for any website. AI-driven systems like ChatGPT, Perplexity, and Google AI Mode are redefining how information is retrieved and presented to users, moving beyond traditional keyword searches to dynamic, conversational summaries. At the heart of

How Is Oracle Boosting Cloud Power with AMD and Nvidia?

In an era where artificial intelligence is reshaping industries at an unprecedented pace, the demand for robust cloud infrastructure has never been more critical, and Oracle is stepping up to meet this challenge head-on with strategic alliances that promise to redefine its position in the market. As enterprises increasingly rely on AI-driven solutions for everything from data analytics to generative