SolarWinds has recently addressed a critical deserialization vulnerability in its Access Rights Manager (ARM) software, discovered by security researcher Piotr Bazydlo [4] [5].
Description
This flaw, identified as CVE-2024-28991 [1] [3] [4], could potentially lead to remote code execution [5], allowing authenticated users to abuse the service through the deserialization of untrusted data. The vulnerability, with a CVSS score of 9.0 [5], occurs due to improper validation of user data in the JsonSerializationBinder class [4], enabling attackers to bypass authentication and execute arbitrary code [4]. Additionally, a medium-severity vulnerability (CVE-2024-28990) exposing a hard-coded credential granting unauthorized access to the RabbitMQ management console has also been patched in ARM version 2024.3.1 [5]. SolarWinds advises all users to update to the latest version to protect against potential threats [5], as there is currently no evidence of active exploitation or publicly available exploit code [2].
Conclusion
It is crucial for users of SolarWinds’ ARM software to update to the latest version to mitigate the risks posed by these vulnerabilities. By addressing these security issues promptly, users can protect their systems from potential threats and ensure the integrity of their data and operations.
References
[1] https://securityaffairs.com/168456/security/solarwinds-fixed-rce-cve-2024-28991.html
[2] https://fieldeffect.com/blog/solarwinds-patches-two-access-rights-manager-vulnerabilities
[3] https://www.techradar.com/pro/security/critical-arm-vulnerability-that-could-have-allowed-rce-patched-by-solarwinds
[4] https://rhyno.io/blogs/cybersecurity-news/solarwinds-patches-critical-arm-flaw/
[5] https://thehackernews.com/2024/09/solarwinds-issues-patch-for-critical.html