This advisory is for organizations that use SolarWinds Access Rights Manager (ARM) to manage and audit user rights access. If your organization does not use this platform, this notification may be discarded.
Summary
SolarWinds has released patch 2023.2.1 to address several vulnerabilities in their Access Rights Manager product. Out of all the fixes released, three of these are rated as critical and could allow a remote, unauthenticated attacker to execute code in the context of SYSTEM.
CVE-2023-35182 – ARM Deserialization of Untrusted Data Remote Code Execution
CVSSv3: 9.8
CVE-2023-35185 – ARM Directory Traversal Remote Code Execution
CVSSv3: 9.8
CVE-2023-35187 – ARM Directory Traversal Remote Code Execution
CVSSv3: 9.8
Affected Products/Versions
ARM v 2023.1 and earlier
Mitigations
Patch has been released: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm
Additional Resources
2023-35182: https://www.zerodayinitiative.com/advisories/ZDI-23-1564/
2023-35185: https://www.zerodayinitiative.com/advisories/ZDI-23-1565/
2023-35187: https://www.zerodayinitiative.com/advisories/ZDI-23-1567/
https://www.bleepingcomputer.com/news/security/critical-rce-flaws-found-in-solarwinds-access-audit-solution/