July 19, 2024 at 07:01AM
SolarWinds released security updates for Access Rights Manager, resolving 13 vulnerabilities, including eight critical-severity bugs. Six critical flaws could be exploited for remote code execution, while the remaining two could allow attackers to read and delete arbitrary files. Five high-severity issues were also addressed, impacting domain admin access and arbitrary file deletion. Users should update Access Rights Manager immediately.
The meeting notes indicate that SolarWinds has announced security updates for its Access Rights Manager to address a total of 13 vulnerabilities, including eight critical-severity bugs. Six of these critical flaws could be exploited for remote code execution, while the remaining two critical-severity issues are path traversal bugs that could allow attackers to read and delete arbitrary files.
All vulnerabilities were reported in January through Trend Micro’s Zero Day Initiative. Six of the vulnerabilities result from the lack of proper validation of user-supplied input, while two of them result from an exposed dangerous method and could allow attackers to execute code with System privileges.
It is important to note that these bugs have a CVSS score of 9.6 according to SolarWinds, while ZDI lists all of them with a CVSS 3.0 score of 10. The flaws impact Access Rights Manager version 2023.2.4 and prior releases and were addressed in Access Rights Manager version 2024.3, which was released on July 17.
In addition to the critical flaws, there are five high-severity vulnerabilities that could allow attackers to perform arbitrary file deletion, information disclosure, and gain domain admin access. Users are advised to update their Access Rights Manager as soon as possible.
Access Rights Manager is used within enterprise environments to generate Active Directory (AD) and Azure AD reports, allowing administrators to manage users’ access rights and review access logs. Additional information can be found on SolarWinds’ security advisories page and on ZDI’s published advisories page.