Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







[CVSS 9+] SolarWinds Patches Critical ARM Vulnerabilities

Summary

SolarWinds fixed three critical remote code execution (RCE) vulnerabilities in its Access Rights Manager (ARM) product.

The flaws were reported on June 22 through Trend Micro’s Zero Day Initiative and were rectified by SolarWinds on October 18, with the release of ACM version 2023.2.1.

SolarWinds highlighted that they were not aware of any exploitation.

Organisations using SolarWinds ARM are urged to prioritise applying the patch released by SolarWinds.

About the Vulnerabilities

The three critical RCE flaws are as follows:

  1. CVE-2023-35182: This vulnerability, with a CVSS score of 9.8, allows remote attackers to execute arbitrary code on affected installations of SolarWinds Access Rights Manager. The flaw exists within the createGlobalServerChannelInternal method and results from the lack of proper validation of user-supplied data, leading to deserialisation of untrusted data.
  2. CVE-2023-35185: This vulnerability, with a CVSS score of 9.8, allows remote attackers to execute arbitrary code on affected installations of SolarWinds Access Rights Manager. The flaw exists within the OpenFile method and results from the lack of proper validation of a user-supplied path prior to using it in file operations.
  3. CVE-2023-35187: This vulnerability, with a CVSS score of 9.8, allows remote attackers to execute arbitrary code on affected installations of SolarWinds Access Rights Manager. The flaw exists within the OpenClientUpdateFile method and results from the lack of proper validation of a user-supplied path prior to using it in file operations.

SolarWinds has developed a patch for these issues and communicated with customers about the steps needed to apply the fix to harden their environments. We are not aware of any evidence that any of these vulnerabilities have been exploited.

SolarWinds has explained

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.