Critical flaws have been corrected, but there are still questions for the company...
SolarWinds, a well-known developer of IT infrastructure management software, has released updates to address five vulnerabilities that allow remote code execution (RCE) in its Access Rights Manager (ARM) product. Among them, three vulnerabilities are assessed as critical, as they can be exploited without authentication.
ARM is used by companies to manage and audit access rights in their IT infrastructures, which minimizes the risks associated with threats from internal users.
Two critical vulnerabilities are CVE-2024-23476 and CVE-2024-23479 (CVSS scores 9.6) are related to Path Traversal flaws, and the third one under the CVE-2023-40057 identifier (CVSS 9.0 rating) is related to unsafe Deserialization of Untrusted Data. All three vulnerabilities described above can be exploited by unauthorized attackers to execute code on target systems that have not been updated to a secure software version.
Two other vulnerabilities identified as CVE-2024-23477 and CVE-2024-23478 (7.9 and 8.0 CVSS scores) can also be used for RCE attacks and are classified as high-risk issues.
All vulnerabilities were discovered by independent researchers as part of the Zero Day Initiative (ZDI) from Trend Micro.
Access Rights Manager 2023 update.2.3, released on February 15, includes fixes for all five vulnerabilities listed above, as well as additional security improvements. A SolarWinds representative said that the company has not received reports of real exploitation of these vulnerabilities in the "wild".
The developers worked without complaints, quickly closing critical security flaws in their product, for which SolarWinds can only be praised. But what the company cannot be praised for is that it has a policy of half-truths, which the US Securities and Exchange Commission (SEC) accused SolarWinds of in October last year.
SolarWinds, a well-known developer of IT infrastructure management software, has released updates to address five vulnerabilities that allow remote code execution (RCE) in its Access Rights Manager (ARM) product. Among them, three vulnerabilities are assessed as critical, as they can be exploited without authentication.
ARM is used by companies to manage and audit access rights in their IT infrastructures, which minimizes the risks associated with threats from internal users.
Two critical vulnerabilities are CVE-2024-23476 and CVE-2024-23479 (CVSS scores 9.6) are related to Path Traversal flaws, and the third one under the CVE-2023-40057 identifier (CVSS 9.0 rating) is related to unsafe Deserialization of Untrusted Data. All three vulnerabilities described above can be exploited by unauthorized attackers to execute code on target systems that have not been updated to a secure software version.
Two other vulnerabilities identified as CVE-2024-23477 and CVE-2024-23478 (7.9 and 8.0 CVSS scores) can also be used for RCE attacks and are classified as high-risk issues.
All vulnerabilities were discovered by independent researchers as part of the Zero Day Initiative (ZDI) from Trend Micro.
Access Rights Manager 2023 update.2.3, released on February 15, includes fixes for all five vulnerabilities listed above, as well as additional security improvements. A SolarWinds representative said that the company has not received reports of real exploitation of these vulnerabilities in the "wild".
The developers worked without complaints, quickly closing critical security flaws in their product, for which SolarWinds can only be praised. But what the company cannot be praised for is that it has a policy of half-truths, which the US Securities and Exchange Commission (SEC) accused SolarWinds of in October last year.
