www.belgium.be Logo of the federal government

Warning: Multiple Critical Vulnerabilities In SolarWinds Access Rights Manager (ARM), Patch Immediately!

Reference: 
Advisory #2024-109
Version: 
1.0
Affected software: 
SolarWinds Access Rights Manager (ARM)
Type: 
Information Disclosure, Remote Code Execution (RCE), Authentication Bypass
CVE/CVSS: 

CVE-2024-23465 :CVSS 8.3(CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2024-23466 :CVSS 9.6(CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2024-23467 :CVSS 9.6(CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2024-23468 :CVSS 7.6(CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)
CVE-2024-23469 :CVSS 9.6(CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2024-23470 :CVSS 9.6(CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2024-23471 :CVSS 9.6(CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2024-23472 :CVSS 9.6(CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2024-23474 :CVSS 7.6(CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)
CVE-2024-23475 :CVSS 9.6(CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2024-28074 :CVSS 9.6(CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2024-28992 :CVSS 7.6(CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)
CVE-2024-28993 :CVSS 7.6(CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)

Sources

SolarWinds: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm

Risks

Trend Micro's Zero Day Initiative has discovered several high and critical severity vulnerabilities in the SolarWinds Access Right Manager (ARM.) Successful exploitation of these vulnerabilities could lead to arbitrary code execution and a complete compromise of the system.

SolarWinds ARM provides Microsoft Active Directory integration and role-based access control. SolarWinds ARM is used to manage and audit user access rights to systems, data, and files. Compromise of this system could have severe impact on your organization, and potentially lead to data theft, extortion, and ransomware. The integration with Active Directory makes this a high value target for attackers that manage to breach your perimeter.

Description

CVE-2024-23472; CVE-2024-23475

CVSS 9.6, Critical, Information Disclosure Vulnerability.

These vulnerabilities allow attackers to delete and leak sensitive information.

CVE-2024-23466; CVE-2024-23467; CVE-2024-23469; CVE-2024-23470; CVE-2024-23471; CVE-2024-28074

CVSS 9.6, Critical, Remote Code Execution Vulnerability.

These vulnerabilities allows unauthenticated attackers to execute arbitrary code on the system and with SYSTEM privileges.

CVE-2024-23465

CVSS 8.3, High, Authentication Bypass Vulnerability.

This vulnerability allows for an attacker to gain admin access within the Active Directory environment.

CVE-2024-23468; CVE-2024-23474; CVE-2024-28992; CVE-2024-28993

CVSS 7.6, High, Information Disclosure Vulnerability

These vulnerabilities allow attackers to delete and leak sensitive information.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Update to version 2024.3 or newer. More information can be found in the SolarWinds Advisory.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via:https://ccb.belgium.be/en/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Security Online:https://securityonline.info/solarwinds-patches-multiple-critical-vulnerabilities-in-access-rights-manager/
CCB (Previous Advisory): https://cert.be/nl/advisory/warning-multiple-critical-vulnerabilities-affect-solarwinds-access-rights-manager-tool