Critical ARM vulnerability that could have allowed RCE patched by SolarWinds

A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
(Image credit: Shutterstock / JLStock)

SolarWinds has recently patched a critical severity vulnerability in its Access Rights Manager (ARM) program, which allowed threat actors to run malicious code remotely.

Access Rights Manager (ARM) is a piece of software designed to help organizations manage, monitor, and audit user access rights across their IT systems.

In a security advisory, SolarWinds said ARM was vulnerable to a “deserialization of untrusted data remote code execution flaw,” which essentially means that the software was not validating user-supplied data properly. That data, if malicious, could be abused in cyberattacks.

Patch available

The bug is tracked as CVE-2024-28991, and has a severity rating of 9.0/10 (critical). It was first spotted by security researchers from Trend Micro’s Zero Day Initiative (ZDI), The Hacker News reports, who gave it a 9.9 severity rating. One of the reasons is because of poor authentication practices: "Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed," the ZDI said.

If you are using ARM, you should make sure you’re running version 2024.3.1. SolarWinds says there is no evidence that the flaw is being abused in the wild, but is still advocating caution and advising users to patch without delay.

Although SolarWinds is a major IT services provider, popular among enterprises, it rose to infamy back in 2020 when an upcoming patch for one of its products was compromised by ransomware hackers. Unknowingly, the company pushed a tainted update to countless customers, compromising many of them in the process, and resulting in sensitive data being stolen from dozens of high-profile organizations.

Last year, the US Securities and Exchange Commission (SEC) decided to sue SolarWinds for the incident, claiming its executives knew about its security shortcomings. Instead of notifying investors and users, the lawsuit alleges, the execs kept the information for themselves and even tried to convince everyone of the opposite.

Via The Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

TOPICS