CVE-2024-28991: Serious Vulnerability in SolarWinds ARM Fixed
SolarWinds has released updates to address two vulnerabilities in its Access Rights Manager (ARM) software, one of which is classified as critical. The vulnerability, identified as CVE-2024-28991, has been assigned a CVSS score of 9.0 out of 10 and is associated with improper data deserialization, potentially leading to remote code execution (RCE).
In a published notification, SolarWinds states that this vulnerability allows an authenticated user to misuse the service, opening the possibility of remote execution of arbitrary code. The issue was discovered by security researcher Piotr Bazydlo, who reported it through the Zero Day Initiative (ZDI) program on May 24, 2024.
Notably, ZDI experts assigned the vulnerability a higher CVSS score of 9.9. They note that the problem arises from insufficient validation of user-supplied data, making ARM devices vulnerable to deserialization and, consequently, leading to the execution of arbitrary code. Despite the need for authentication to exploit the vulnerability, ZDI emphasizes that the current authentication mechanism can be bypassed.
In addition to CVE-2024-28991, SolarWinds also addressed a medium-severity vulnerability (CVE-2024-28990) with a CVSS score of 6.3, which is related to the use of hard-coded credentials. This could have allowed attackers to gain unauthorized access to the RabbitMQ management console.
Both issues have been rectified in ARM version 2024.3.1. While no instances of active exploitation of the vulnerabilities have been observed, users are strongly encouraged to update their software promptly to protect against potential threats.
Last month, SolarWinds also addressed two critical issues in another of its software products, Web Help Desk (WHD). Vulnerability CVE-2024-28987 (CVSS: 9.1) allowed remote, unauthenticated users to gain unauthorized access to vulnerable system instances, while CVE-2024-28986 (CVSS: 9.8) could be exploited for arbitrary code execution.
As we can once again observe, even recognized industry leaders can make serious errors in their software, potentially putting entire organizations at risk. Timely software updates are not merely a recommendation but a critical necessity, enabling protection against the ever-evolving landscape of digital threats.
