SolarWinds patches eight critical flaws in Access Rights Manager software
Disclosure raises fresh security concerns
SolarWinds, the network management company still reeling from the aftermath of a major 2020 supply chain attack, has addressed eight critical vulnerabilities in its Access Rights Manager (ARM) software.
The critical flaws, rated 9.6 out of 10 on the Common Vulnerability Scoring System (CVSS), could allow attackers to not only steal sensitive information but also potentially take complete control of affected systems by executing malicious code.
In total, SolarWinds patched 13 security flaws last week, of which eight are rated as "Critical", while five are "High" in terms of severity.
The eight critical flaws addressed by the company are listed below -
- CVE-2024-23467 - Traversal Remote Code Execution (RCE) Vulnerability
- CVE-2024-23469 - Exposed Dangerous Method RCE Vulnerability
- CVE-2024-23470 - UserScriptHumster Exposed Dangerous Method Remote Command Execution Vulnerability
- CVE-2024-23471 - CreateFile Directory Traversal RCE Vulnerability
- CVE-2024-28074 - Internal Deserialization RCE Vulnerability
- CVE-2024-23475 - Traversal and Information Disclosure Vulnerability
- CVE-2024-23472 - Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability
- CVE-2024-23466 - Directory Traversal RCE Vulnerability
The RCE vulnerabilities are particularly concerning as they could grant attackers a foothold within a system without needing any prior access.
Similarly, directory traversal flaws enable attackers to navigate beyond restricted areas within a system, potentially accessing and deleting important files or even launching further attacks with elevated privileges.
SolarWinds also addressed a high-severity authentication bypass weakness (CVE-2024-23465) that could grant attackers complete control over user accounts within the Active Directory environment, potentially compromising an entire network.
The company released version 2024.3 of ARM to address these flaws.
While SolarWinds hasn't confirmed if these vulnerabilities are actively exploited, security experts urge users to update their software immediately.
The disclosure highlights the ongoing challenge of cybersecurity and the importance of prioritising robust security practices and prompt patching.
Earlier this year, SolarWinds fixed five other RCE weaknesses in the ARM solution, three of which were rated critical.
Judge dismisses lawsuit against SolarWinds
The latest revelation about new bugs in SolarWinds software comes as a US District Judge last week dismissed most of a lawsuit that accused SolarWinds of misleading investors about cybersecurity weaknesses before and after the 2020 cyberattack that targeted dozens of government agencies and private firms in the US.
The lawsuit was filed by the Securities and Exchange Commission (SEC) in October 2023.
In the ruling on 18th July, Judge Paul Engelmayer said that SEC's claims were based largely on "hindsight and speculation," and failed to meet the legal threshold for securities fraud.
He dismissed all charges against SolarWinds and its CISO, Timothy Brown, regarding statements made after the attack. The judge also threw out most claims concerning pre-attack statements, except for one related to a website blurb about the company's security controls.
The SolarWinds attack was disclosed in December 2020, after the US Treasury Department and the US Department of Commerce's National Telecommunications and Information Administration (NTIA) were compromised in a massive cyber campaign.
An investigation revealed that the hackers managed to breach the networks of multiple organisations after compromising SolarWinds' network monitoring software Orion.
The software was widely used by government departments and private companies.
The attackers inserted malicious code into legitimate software updates for the Orion, which allowed them remote access into the victim's environment.
The SEC's lawsuit was unique in several ways. It was the first targeting a cyberattack victim without a simultaneous settlement; moreover, SEC rarely sues non-financial executives like Brown.
In its lawsuit, the SEC argued SolarWinds failed to disclose customer warnings about suspicious activity on Orion.
Judge Engelmayer, however, disagreed. He ruled that anti-fraud laws don't require companies to provide excessively specific risk warnings, as this could inadvertently aid attackers.
He also highlighted that SolarWinds acknowledged the inherent risk of cyberattacks and could not be expected to prevent every single one.
"It has already disclosed the likelihood of these as, regrettably, a fact of life," Judge Engelmayer wrote in his ruling.