SolarWinds RCE Vulnerabilities: Unlocking Network Takeovers with Devastating Consequences

Eight Vulnerabilities Discovered in SolarWinds Access Rights Manager Tool

The Significance of SolarWinds in Corporate Networks

SolarWinds, a broad IT management platform, has gained considerable attention due to the vulnerability of its systems. The world witnessed the consequences of this vulnerability three years ago. As a platform that oversees critical components in corporate networks, SolarWinds holds a unique position that makes it a prime target for attackers. One of its key tools, the Access Rights Manager (ARM), allows administrators to provision, manage, and audit user access rights to data, files, and systems. However, the recent discovery of eight vulnerabilities in the ARM tool has raised serious concerns.

The Severity of the Vulnerabilities

Trend Micro’s Zero Day Initiative (ZDI) recently disclosed the eight vulnerabilities, three of which are considered critical. These vulnerabilities could potentially grant attackers the highest levels of privilege in unpatched systems. The severity of these vulnerabilities is a cause for alarm, as they have the potential to allow remote unauthenticated attackers to execute arbitrary code at the system level, effectively taking over an affected system.

Two of the vulnerabilities, CVE-2023-35181 and CVE-2023-35183, allow unauthorized users to exploit local resources and incorrect folder permissions, leading to local privilege escalation. These vulnerabilities have been rated as “High” severity by Trend Micro. Additionally, three more vulnerabilities, namely CVE-2023-35180, CVE-2023-35184, and CVE-2023-35186, have an “8.8” severity rating and can enable users to abuse a SolarWinds service or its ARM API for remote code execution.

The most concerning vulnerabilities, however, are the three critical-rated RCE (Remote Code Execution) vulnerabilities: CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187. Although SolarWinds rates them at “8.8,” Trend Micro considers their severity to be “9.8.” These vulnerabilities reside in the methods createGlobalServerChannelInternal, OpenFile, and OpenClientUpdateFile, respectively, and lack proper validation. Exploiting these vulnerabilities allows attackers to run arbitrary code at the SYSTEM level, which represents the highest possible level of privilege on a Windows machine. Most notably, these three vulnerabilities do not require prior authentication for exploitation.

Patching and Mitigation

SolarWinds has taken immediate action to address these vulnerabilities and has released a new version of ARM, namely 2023.2.1. It is highly advised that all SolarWinds clients promptly patch their systems by adopting this latest version. Prompt action is crucial to prevent potential attacks that could lead to devastating consequences.

Editorial – A Call for Enhanced Internet Security

The discovery of these vulnerabilities in SolarWinds ARM highlights the urgent need for companies to prioritize and invest in robust internet security measures. As demonstrated by the previous SolarWinds breach, a single vulnerability can have far-reaching consequences. Organizations must recognize that their network and system security directly impact their ability to protect sensitive data, prevent unauthorized access, and safeguard against potential attacks. Mere reliance on software patches and updates is no longer sufficient.

It is crucial for companies to implement comprehensive security solutions that encompass regular vulnerability assessments, proactive threat hunting, and robust incident response procedures. Internet security is an ongoing battle, and businesses must remain vigilant, continuously evaluating and fortifying their defenses against emerging threats.

Advice for Administrators and IT Professionals

For administrators and IT professionals responsible for managing SolarWinds and similar IT management tools, several key steps must be taken:

1. Implement Regular Patching and Update Procedures:

Establish a proactive system to regularly check for updates and patches for all software and tools in use. Ensure that the latest versions are deployed promptly to mitigate potential vulnerabilities.

2. Stay Informed:

Stay abreast of security news, updates, and advisories from trusted sources such as security vendors, government agencies, and industry experts. Timely awareness of potential vulnerabilities can enable proactive measures.

3. Follow Best Practices:

Adhere to cybersecurity best practices, such as strong authentication mechanisms, least privileged access principles, regular monitoring, and logging of system activities. Regularly review and update access controls to minimize the attack surface.

4. Conduct Vulnerability Assessments:

Routinely perform vulnerability assessments and penetration testing on critical systems. This helps identify potential weaknesses and allows for appropriate remediation measures before attackers exploit them.

5. Establish Incident Response Procedures:

Have well-defined and tested incident response plans in place to minimize the impact of potential attacks. Regularly review and update these procedures to ensure they align with current threats.

By implementing these measures, organizations can bolster their security posture and reduce the risk of falling victim to devastating cyber attacks.