Critical RCE flaws found in SolarWinds access audit solution

Security researchers found three critical remote code execution vulnerabilities in the SolarWinds Access Rights Manager (ARM) product that remote attackers could use to run code with SYSTEM privileges.

SolarWinds ARM is a tool that enables organizations to manage and audit user access rights across their IT environments. It offers Microsoft Active Directory integration, role-based access control, visual feedback, and more.

Through Trend Micro’s Zero Day Initiative (ZDI), researchers reported eight flaws in the SolarWinds solution on June 22, three of them with critical severity.

The vendor addressed all vulnerabilities earlier this week with a patch available in version 2023.2.1 of its Access Rights Manager.

Below is the description and identifier for the three critical remote code execution (RCE):

• CVE-2023-35182 (9.8 severity): Remote unauthenticated attackers can execute arbitrary code in the context of SYSTEM due to the deserialization of untrusted data in the ‘createGlobalServerChannelInternal’ method
• CVE-2023-35185 (9.8 severity): Remote unauthenticated attackers can execute arbitrary code in the context of SYSTEM due to a lack of validation of user-supplied paths in the ‘OpenFile’ method
• CVE-2023-35187 (9.8 severity): Remote unauthenticated attackers can execute arbitrary code in the context of SYSTEM without authentication due to lack of validation of user-supplied paths in the ‘OpenClientUpdateFile’ method

Executing code in the context of “SYSTEM” on Windows computers means that it runs with the highest privileges on the machine.

SYSTEM is an internal account reserved for the operating system and its services. Attackers gaining this level of privileges have full control over all files on the victim machine.

The rest of the security issues that SolarWinds addressed in its Access Right Manager are high-severity and attackers could exploit them to increase permissions or execute arbitrary code on the host after authentication.

SolarWinds published an advisory this week describing the eight vulnerabilities and their severity rating, as assessed by the company.

It is worth noting that the company did not rate any of the security issues as critical and the highest rating is 8.8, for high-severity issues.