Get in Touch
SolarWinds discloses eight Access Rights Manager (ARM) tool vulnerabilities
Target Industry
Indiscriminate, opportunistic targeting.
Overview
Eight vulnerabilities in the SolarWinds Access Rights Manager (ARM) tool have been disclosed, six of which pertain to remote code execution (RCE) and two to privilege escalation.
Three of the RCE flaws have been assigned a high severity level (CVSSv3.1 score of 8.8) and are being tracked as CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187. “The remaining three RCE issues all pertain to the SolarWinds service, or the ARM API. These flaws are being tracked as CVE-2023-35180 (CVSSv3.1 score: 8.0), CVE-2023-35184 (CVSSv3 score: 8.8), and CVE-2023-35186 (CVSSv3.1 score: 8.0).” (high severity level).
The two privilege escalation security flaws, tracked as CVE-2023-35181 and CVE-2023-35183, have both been assigned a CVSSv3.1 score of 7.8 (high severity level) and could allow threat actors to leverage local resources and incorrect folder permissions.
Impact
Successful exploitation of the vulnerabilities disclosed by SolarWinds would almost certainly allow a remote, unauthenticated threat actor to execute arbitrary code at system level (the highest level of privilege on a Windows machine) or abuse local resources and incorrect folder permissions to perform local privilege escalation, thereby hijacking compromised systems.
Vulnerability Detection
A security patch has been released by SolarWinds with regards to the disclosed vulnerabilities. As such, previous product versions remain vulnerable to potential exploitation.
Affected Products
SolarWinds Access Rights Manager
Containment, Mitigations & Remediations
It is strongly recommended that users of affected SolarWinds systems apply the ARM version 2023.2.1 update as a matter of urgency. This patch remediates all eight vulnerabilities.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available currently.
Threat Landscape
SolarWinds occupies a significant portion of the IT management market share. The platform is used extensively within corporate networks across the industry sector spectrum. The ARM tool is directly involved with the management of critical network components, and it has therefore been assessed that cyber threat actors will almost certainly view organisations with operational protocols involving this tool as prime targets as they seek to meet their pre-defined objectives.
The Russian nation state-sponsored threat actor group, tracked as Midnight Blizzard, targeted SolarWinds in 2020 by deploying malicious code into the Orion IT monitoring and management software in a supply-chain compromise. Having been previously subjected to malicious cyber operations, it is therefore of critical importance to adhere to the recommended remediation and mitigation strategies to reduce the risk of exploitation.
Threat Group
No attribution to specific threat actors or groups has been identified at the time of writing.
Mitre Methodologies
Common Weakness Enumeration (CWE):
CVE-2023-35181, CVE-2023-35183: CWE-276 – Incorrect Default Permissions
CVE-2023-35180, CVE-2023-35184, CVE-2023-35186, CVE-2023-35182: CWE-502 – Deserialization of Untrusted Data
CVE-2023-35185, CVE-2023-35187: CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
Tactic:
TA0002 – Execution
TA0004 – Privilege Escalation
Further Information
TrendMicro Zero-Day Initiative Advisory
