CVE-2023-35180 – CVE-2023-35180 is a remote code execution vulne... (How to Fix)

Q: What is the severity of CVE-2023-35180?

CVE-2023-35180 has a CVSS score of 8.0 (HIGH). CVE-2023-35180 is a remote code execution vulnerability in SolarWinds Access Rights Manager that allows authenticated users to execute arbitrary code by abusing the ARM API. This affects organizations using vulnerable versions of SolarWinds ARM. Attackers with valid credentials can exploit this to gain full control of affected systems.

📋 TL;DR

CVE-2023-35180 is a remote code execution vulnerability in SolarWinds Access Rights Manager that allows authenticated users to execute arbitrary code by abusing the ARM API. This affects organizations using vulnerable versions of SolarWinds ARM. Attackers with valid credentials can exploit this to gain full control of affected systems.

💻 Affected Systems

Products:

SolarWinds Access Rights Manager

Versions: Versions prior to 2023.2.1

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable; requires authenticated access to exploit.

📦 What is this software?

Access Rights Manager by Solarwinds

View all CVEs affecting Access Rights Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary code, steal sensitive data, deploy ransomware, or pivot to other network systems.

🟠

Likely Case

Privilege escalation leading to unauthorized access to sensitive systems and data, potentially enabling lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access, and monitoring are in place, though risk remains for authenticated users.

🌐 Internet-Facing: HIGH if ARM is exposed to the internet, as authenticated attackers could exploit it remotely.

🏢 Internal Only: HIGH due to authenticated users potentially exploiting it from within the network, especially if credentials are compromised.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access; complexity is low once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2023.2.1 or later

Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35180

Restart Required: Yes

Instructions:

1. Download SolarWinds ARM version 2023.2.1 or later from the SolarWinds customer portal. 2. Backup current configuration and data. 3. Run the installer to upgrade. 4. Restart the ARM service or server as prompted.

🔧 Temporary Workarounds

Restrict API Access

windows

Limit network access to the ARM API to trusted IP addresses only using firewall rules.

Example Windows firewall command: netsh advfirewall firewall add rule name="Block ARM API" dir=in action=block protocol=TCP localport=17778 remoteip=any

Enforce Strong Authentication

all

Implement multi-factor authentication and strong password policies for ARM users to reduce credential compromise risk.

🧯 If You Can't Patch

Isolate the ARM system in a segmented network with strict access controls.
Monitor for unusual API activity and implement alerting for suspicious authentication attempts.

🔍 How to Verify

Check if Vulnerable:

Check the ARM version in the SolarWinds ARM web interface under Help > About. If version is below 2023.2.1, it is vulnerable.

Check Version:

In ARM web UI: Navigate to Help > About to view version.

Verify Fix Applied:

After patching, verify the version is 2023.2.1 or higher in the About section and test API functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual API requests in ARM logs, unexpected process executions, or authentication from suspicious IPs.

Network Indicators:

Abnormal traffic to ARM API port (default 17778), especially from unauthorized sources.

SIEM Query:

Example: source="ARM_logs" AND (event="API_ABUSE" OR process="suspicious_executable")

📊 Metadata

CVE ID: CVE-2023-35180

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: October 19, 2023

Last Updated: November 21, 2024

🔗 References

https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm Release Notes,Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35180 Vendor Advisory
https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm Release Notes,Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35180 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35180, you might also want to check these: