Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Multiple Critical vulnerabilities affect the SolarWinds Access Rights Manager tool, Patch immediately!
Image
Published : 23/10/2023
Reference:
Advisory #2023-127
Version:
1.0
Affected software:
Solarwinds Access Right Manager Tool versions version 2023.2.1
Type:
Remote Code Execution, RCE
CVE/CVSS:
CVE-2023-35180 :CVSS 8.0(CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-35181 :CVSS 7.8(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-35182 :CVSS 8.8(CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-35183 :CVSS 7.8(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-35184 :CVSS 8.8(CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-35185 :CVSS 8.8(CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-35186 :CVSS 8.0(CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-35187 :CVSS 8.8(CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Risks
Trend Micro's Zero Day Initiative has discovered several high and critical severity vulnerabilities in the SolarWinds Access Right Manager (ARM) tool. Successful exploitation allows a remote unauthenticated attacker to execute arbitrary code with SYSTEM privileges.
SolarWinds ARM provides Microsoft Active Directory integration and role-based access control. SolarWinds ARM is designed to help IT and security administrators quickly and easily provision, deprovision, manage and audit user access rights to systems, data and files to help protect their organisations from the potential risks of data loss and breaches.
Any organisation using SolarWinds ARM should forensically examine vulnerable systems to determine if they have been compromised and if there has been any data exfiltration.
The series of vulnerabilities have a high impact on all vertices of the CIA triad (Confidentiality, Integrity, Availability).
SolarWinds addressed all vulnerabilities in Access Rights Manager version 2023.2.1.
Description
CVE-2023-35181 and CVE-2023-35183 allow an unauthorised attacker to exploit local resources and incorrect folder permissions to escalate local privileges.
CVE-2023-35180, CVE-2023-35184, and CVE-2023-35186 allow an attacker to exploit the SolarWinds service and/or its ARM API to gain remote code execution (RCE).
CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187 allow an unauthenticated remote attacker to execute remote code, with SYSTEM privileges. The problem stems from improper validation of the createGlobalServerChannelInternal, OpenFile, and OpenClientUpdateFile methods, allowing an unauthenticated attacker to execute arbitrary code with SYSTEM privileges.
Recommended Actions
The Centre for Cyber Security Belgium urges system administrators to check their SolarWinds Access Rights Manager tool for potential vulnerabilities and ensure that their device has the latest software version.
Please note that vulnerable instances will still be at risk after the upgrade to the fixed version.
This is because the intruder may have created administrator accounts within the vulnerable entity.
If such an event occurs, the incident can be reported via https://ccb.belgium.be/cert/report-incident.
More information can be found at: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm
References