Multiple critical flaws have been found and subsequently patched in the Access Rights Manager (ARM) product of software company SolarWinds. The vulnerabilities were detected by researchers through Trend Micro's Zero Day Initiative (ZDI), who reported a total of eight flaws to the company on June 22nd. Three of these reported flaws were of a critical nature, potentially enabling remote attackers to run code with SYSTEM privileges within affected systems.
The critical vulnerabilities are capable of executing code in the context of “SYSTEM” on Windows computers. This allows the executed code to operate with the utmost privileges on the system, thus giving potential attackers full control over all files in the afflicted machine.
- CVE-2023-35182 with a severity score of 9.8 allows remote attackers to execute arbitrary code in the context of SYSTEM by exploiting the deserialization of untrusted data in the ‘createGlobalServerChannelInternal' method.
- CVE-2023-35185, with a severity score of 9.8, enables remote unauthenticated attackers to execute arbitrary code in the context of SYSTEM due to a lack of validation of user-supplied paths in the ‘OpenFile' method.
- CVE-2023-35187 , with a severity score of 9.8, permits remote unauthenticated attackers to execute arbitrary code in the context of SYSTEM without authentication due to a lack of validation of user-supplied paths in the ‘OpenClientUpdateFile' method.
SolarWinds Issues Prompt Response
SolarWinds, known for managing and auditing user access rights in IT environments, was quick to address these vulnerabilities. The Texas-based company promptly issued a much-needed patch, readily available as of version 2023.2.1 of its Access Rights Manager. A SolarWinds spokesperson company issued the following statement:
“SolarWinds has developed a patch for these issues and communicated with customers about the steps needed to apply the fix to harden their environments. We are not aware of any evidence that any of these vulnerabilities have been exploited.”
This patch also addressed the remainder of the vulnerabilities, which were of high-severity nature. These high-severity flaws could have possibly led to increased permissions for attackers or enabled them to execute arbitrary code on the host post-authentication.
Security Assessment and Customer Advisory
Although SolarWinds did not rate any of the identified security issues as critical, the highest rating given was an 8.8 for high-severity issues. The company released an advisory this week outlining the vulnerabilities and the corresponding severity rating. Customers were prompted to update to the latest version of Access Rights Manager to ensure optimal protection against potential exploitation of unpatched systems.
According to the company's advisory, all eight vulnerabilities have been thoroughly attended to in the latest software patch. As the software provider continues to monitor the situation, customers are advised to maintain best security practices to protect against potential future vulnerabilities.
The Legacy of Solarigate
Of course, SolarWinds is no stranger to major security vulnerabilities. The Solarigate malware attack that targeted the SolarWinds app Orion made headlines in December 2020. SolarWinds related attacks targeted 18,000 organizations, including government agencies. While 18,000 organizations downloaded SolarWinds Orion with the malware, a smaller number were impacted by follow on activity.
