July 18, 2024 at 11:57AM
SolarWinds addressed critical vulnerabilities in its Access Rights Manager software, including RCE and directory traversal flaws. These flaws could allow unprivileged attackers to execute code, delete files, and obtain sensitive information. The company released version 2024.3 with security fixes. SolarWinds has yet to confirm if exploits for the flaws are in the wild or have been used in attacks.
Based on the meeting notes, here are the key takeaways:
1. SolarWinds has addressed eight critical vulnerabilities in its Access Rights Manager (ARM) software, including six flaws that allowed attackers to execute code remotely on vulnerable devices.
2. The RCE vulnerabilities are rated with severity scores of 9.6/10 and allow attackers without privileges to perform actions on unpatched systems by executing code or commands, with or without SYSTEM privileges depending on the exploited flaw.
3. Additionally, the company patched three critical directory traversal flaws that allow unauthenticated users to perform arbitrary file deletion and obtain sensitive information.
4. SolarWinds also fixed a high-severity authentication bypass vulnerability that could allow unauthenticated malicious actors to gain domain admin access within the Active Directory environment.
5. The vulnerabilities were reported through Trend Micro’s Zero Day Initiative, and SolarWinds released the fixes in Access Rights Manager 2024.3.
6. It is unclear whether proof-of-concept exploits for these flaws are available in the wild or whether any of them have been exploited in attacks.
7. The company had previously patched five other RCE vulnerabilities in the Access Rights Manager solution in February.
8. SolarWinds suffered a supply-chain attack in 2020, where the Russian APT29 hacking group injected malicious code into Orion IT administration platform builds, targeting a significantly smaller number of SolarWinds customers for further exploitation.
9. Multiple U.S. government agencies confirmed that their networks were breached in the campaign, and the U.S. government formally accused the Russian Foreign Intelligence Service (SVR) of orchestrating the 2020 SolarWinds attack.
10. In October 2023, the U.S. Securities and Exchange Commission (SEC) charged SolarWinds for failing to notify investors of cybersecurity defense issues before the hack.
These takeaways summarize the critical vulnerabilities addressed by SolarWinds, the supply-chain attack they experienced, and the subsequent actions and accusations by the U.S. government.