SolarWinds Patches Eight Critical Flaws In Access Rights Manager Software

The latest revelation comes as a U.S. district judge last week dismissed most of a lawsuit that accused SolarWinds of misleading investors.

SolarWinds, the network management company still reeling from the aftermath of a major 2020 supply chain attack, has addressed eight critical vulnerabilities in its Access Rights Manager (ARM) software.

The critical flaws, rated 9.6 out of 10 on the Common Vulnerability Scoring System (CVSS), could allow attackers to not only steal sensitive information but also potentially take complete control of affected systems by executing malicious code.

In total, SolarWinds patched 13 security flaws last week, of which eight are rated as "Critical", while five are "High" in terms of severity.

The eight critical flaws addressed by the company are listed below:

• CVE-2024-23467 - Traversal Remote Code Execution (RCE) Vulnerability
• CVE-2024-23469 - Exposed Dangerous Method RCE Vulnerability
• CVE-2024-23470 - UserScriptHumster Exposed Dangerous Method Remote Command Execution Vulnerability
• CVE-2024-23471 - CreateFile Directory Traversal RCE Vulnerability
• CVE-2024-28074 - Internal Deserialization RCE Vulnerability
• CVE-2024-23475 - Traversal and Information Disclosure Vulnerability
• CVE-2024-23472 - Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability
• CVE-2024-23466 - Directory Traversal RCE Vulnerability

The RCE vulnerabilities are particularly concerning as they could grant attackers a foothold within a system without needing any prior access.

Similarly, directory traversal flaws enable attackers to navigate beyond restricted areas within a system, potentially accessing and deleting important files or even launching further attacks with elevated privileges.

SolarWinds also addressed a high-severity authentication bypass weakness (CVE-2024-23465) that could grant attackers complete control over user accounts within the Active Directory environment, potentially compromising an entire network.

The company released version 2024.3 of ARM to address these flaws.

While SolarWinds hasn't confirmed if these vulnerabilities are actively exploited, security experts urge users to update their software immediately.

The disclosure highlights the ongoing challenge of cybersecurity and the importance of prioritizing robust security practices and prompt patching.

Earlier this year, SolarWinds fixed five other RCE weaknesses in the ARM solution, three of which were rated critical.

Judge Dismisses Lawsuit Against SolarWinds

The latest revelation about new bugs in SolarWinds software comes as a U.S. district judge last week dismissed most of a lawsuit that accused SolarWinds of misleading investors about cybersecurity weaknesses before and after the 2020 cyberattack that targeted dozens of government agencies and private firms in the US.

The lawsuit was filed by the Securities and Exchange Commission (SEC) in October 2023.

In the ruling on July 18, Judge Paul Engelmayer said that SEC's claims were based largely on "hindsight and speculation," and failed to meet the legal threshold for securities fraud.

He dismissed all charges against SolarWinds and its CISO, Timothy Brown, regarding statements made after the attack. The judge also threw out most claims concerning pre-attack statements, except for one related to a website blurb about the company's security controls.

The SolarWinds attack was disclosed in December 2020, after the U.S. Treasury Department and the U.S. Department of Commerce's National Telecommunications and Information Administration (NTIA) were compromised in a massive cyber campaign.

An investigation revealed that the hackers managed to breach the networks of multiple organizations after compromising SolarWinds' network monitoring software Orion.

The software was widely used by government departments and private companies.

The attackers inserted malicious code into legitimate software updates for the Orion, which allowed them remote access into the victim's environment.

The SEC's lawsuit was unique in several ways. It was the first targeting a cyberattack victim without a simultaneous settlement; moreover, the SEC rarely sues non-financial executives like Brown.

In its lawsuit, the SEC argued SolarWinds failed to disclose customer warnings about suspicious activity on Orion.

Engelmayer, however, disagreed. He ruled that anti-fraud laws don't require companies to provide excessively specific risk warnings, as this could inadvertently aid attackers.

He also highlighted that SolarWinds acknowledged the inherent risk of cyberattacks and could not be expected to prevent every single one.

"It has already disclosed the likelihood of these as, regrettably, a fact of life," Engelmayer wrote in his ruling.