SolarWinds has released fixes to address two security flaws in its Access Rights Manager (ARM) software, including a critical vulnerability that could lead to remote code execution.
This vulnerability is CVE-2024-28991It has been rated 9.0 out of a maximum of 10.0 on the CVSS scoring system. It is described as an instance of untrusted data deserialization.
“A remote code execution vulnerability has been identified in SolarWinds Access Rights Manager (ARM),” the company said in its advisory. “Successful exploitation of this vulnerability could allow an authenticated user to exploit the service, leading to remote code execution.”
Piotr Basidlo, a security researcher at the Trend Micro Zero Day Initiative (ZDI), is said to have discovered and reported the flaw on May 24, 2024.
ZDI, which assigned the flaw a CVSS score of 9.9, said the flaw exists in a class called JsonSerializationBinder and stems from a lack of proper validation of user-supplied data, exposing ARM devices to a deserialization vulnerability that could be exploited to execute arbitrary code.
“Although authentication is required to exploit this vulnerability, existing authentication mechanisms can be circumvented,” ZDI said.
Another vulnerability addressed by SolarWinds is a medium severity vulnerability in ARM (CVE-2024-28990, CVSS score: 6.3) that exposes hardcoded credentials that, if exploited, could lead to unauthorized access to the RabbitMQ management console.
Both issues have been fixed in ARM version 2024.3.1. While there is currently no evidence that the vulnerabilities are being actively exploited in the wild, we encourage you to update to the latest version as soon as possible to protect yourself from potential threats.
This development comes after D-Link resolved three critical vulnerabilities (CVE-2024-45694, CVE-2024-45695, and CVE-2024-45697, CVSS score: 9.8) affecting its DIR-X4860, DIR-X5460, and COVR-X1870 routers.The vulnerabilities could allow remote execution of arbitrary code and system commands.
