CVSS 9.9: SolarWinds ARM vulnerability hits companies' security

Friend

Professional
Messages
2,675
Reaction score
1,002
Points
113
How could the leading software vendors have made such a gross miscalculation?

SolarWinds has released updates to address two vulnerabilities in its Access Rights Manager (ARM) software, one of which is classified as critical. The vulnerability, identified CVE-2024-28991, has a CVSS score of 9.0 out of 10 and is associated with incorrect data deserialization, which can lead to remote code execution (RCE).

The notice published by SolarWinds states that this vulnerability allows an authenticated user to abuse the service, which opens up the possibility of remote execution of arbitrary code. The problem was discovered by security researcher Piotr Bazydlo. He announced it through the Zero Day Initiative (ZDI) program on May 24, 2024.

It is noteworthy that ZDI specialists assigned the vulnerability a higher CVSS score of 9.9. As noted, the problem arises due to insufficient validation of the data provided by the user, which makes ARM devices vulnerable to deserialization and, as a result, leads to arbitrary code execution. Despite the need for authentication to exploit the vulnerability, ZDI emphasizes that it is possible to bypass the current authentication mechanism.

In addition to CVE-2024-28991, SolarWinds has also fixed a moderate severity vulnerability (CVE-2024-28990) with a CVSS score of 6.3, which is related to the use of hardcoded credentials. This could allow the attackers to gain unauthorized access to the RabbitMQ management console.

Both issues have been fixed in ARM version 2024.3.1. So far, there have been no cases of active exploitation of vulnerabilities, but users are advised to update their software as soon as possible to protect against possible threats.

Last month, SolarWinds also fixed two critical issues in its Web Help Desk (WHD) software. CVE-2024-28987 (CVSS: 9.1) allowed remote unauthenticated users to gain unauthorized access to vulnerable system instances, while CVE-2024-28986 (CVSS: 9.8) could be used to execute arbitrary code.

As you can see once again, even established industry leaders can make serious mistakes in their software, potentially putting entire organizations at risk. Keeping your software up to date is not just a recommendation, it's a critical necessity to protect against ever-evolving digital threats.

Source
 
Top