SolarWinds has released a patch to address two security flaws in its Access Rights Manager (ARM) software, including a critical vulnerability that allows for remote code execution.
The critical vulnerability, tracked as CVE-2024-28991, has been rated 9.0 out of 10.0 on the CVSS scoring system. It is an instance of deserialization of untrusted data and can be exploited by an authenticated user to execute arbitrary code.
Security researcher Piotr Bazydlo of Trend Micro’s Zero Day Initiative (ZDI) discovered and reported the flaw, which exists within a class called JsonSerializationBinder due to a lack of proper validation of user-supplied data. The ZDI has assigned the vulnerability a CVSS score of 9.9.
Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed, making it essential for users to update to the latest version as soon as possible to safeguard against potential threats.
Additionally, SolarWinds has addressed a medium- severity flaw in ARM (CVE-2024-28990) that exposed a hard-coded credential. This vulnerability could have allowed unauthorized access to the RabbitMQ management console if successfully exploited.
Both vulnerabilities have been patched in ARM version 2024.3.1. Users are recommended to update to the latest version as soon as possible to safeguard against potential threats.
Source: https://thehackernews.com/2024/09/solarwinds-issues-patch-for-critical.html?m=1