Vulnerabilities

CVE-2023-35182, 35185, 35187 SolarWinds Access Rights Manager (ARM) Vulnerabilities

This advisory is for organizations that use SolarWinds Access Rights Manager (ARM) to manage and audit user rights access.  If your organization does not use this platform, this notification may be discarded.

Summary

SolarWinds has released patch 2023.2.1 to address several vulnerabilities in their Access Rights Manager product.  Out of all the fixes released, three of these are rated as critical and could allow a remote, unauthenticated attacker to execute code in the context of SYSTEM.

CVE-2023-35182 – ARM Deserialization of Untrusted Data Remote Code Execution

                CVSSv3: 9.8

CVE-2023-35185 – ARM Directory Traversal Remote Code Execution

                CVSSv3: 9.8

CVE-2023-35187 – ARM Directory Traversal Remote Code Execution

                CVSSv3: 9.8 

Affected Products/Versions

ARM v 2023.1 and earlier

Mitigations

Patch has been released: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm

Additional Resources

2023-35182: https://www.zerodayinitiative.com/advisories/ZDI-23-1564/

2023-35185: https://www.zerodayinitiative.com/advisories/ZDI-23-1565/

2023-35187: https://www.zerodayinitiative.com/advisories/ZDI-23-1567/

https://www.bleepingcomputer.com/news/security/critical-rce-flaws-found-in-solarwinds-access-audit-solution/