SolarWinds has released patches addressing 11 critical security vulnerabilities in its Access Rights Manager (ARM) software. These vulnerabilities could potentially allow unauthorized access to sensitive data and the execution of arbitrary code. Seven of these flaws are rated as Critical, each carrying a CVSS score of 9.6 out of 10.0, while the remaining four are rated High with a CVSS score of 7.6. The vulnerabilities have been identified and patched in version 2024.3, which was released on July 17, 2024, following responsible disclosure through the Trend Micro Zero Day Initiative (ZDI).
Among the most severe vulnerabilities is CVE-2024-23472, a directory traversal flaw that allows arbitrary file deletion and information disclosure. Another significant flaw, CVE-2024-28074, involves internal deserialization that could enable remote code execution. Other critical vulnerabilities include CVE-2024-23469, which exposes dangerous methods leading to remote code execution, and CVE-2024-23471, a CreateFile directory traversal vulnerability also allowing remote code execution. Exploitation of these flaws could grant attackers elevated privileges, enabling them to read, delete, and execute files on compromised systems.
This patch release follows a recent development where the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a high-severity path traversal flaw (CVE-2024-28995) in SolarWinds Serv-U Path to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation in the wild. The persistent focus on SolarWinds’ security measures underscores the critical need for robust cybersecurity practices, especially given the company’s past experiences with significant cyber threats.
In 2020, SolarWinds was the victim of a major supply chain attack that compromised the update mechanism associated with its Orion network management platform. This attack, attributed to Russian APT29 hackers, involved distributing malicious code to downstream customers as part of a high-profile cyber espionage campaign. The incident led to a lawsuit filed by the U.S. Securities and Exchange Commission (SEC) against SolarWinds and its Chief Information Security Officer (CISO) last October. The SEC alleged that the company failed to disclose adequate material information to investors regarding cybersecurity risks. However, on July 18, 2024, the U.S. District Court for the Southern District of New York dismissed much of the lawsuit, stating that the claims did not plausibly plead actionable deficiencies in the company’s reporting of the cybersecurity hack and relied too heavily on hindsight and speculation.
Reference:
