CVE-2023-35182 – CVE-2023-35182 is a remote code execution vulne... (How to Fix)

Q: What is the severity of CVE-2023-35182?

CVE-2023-35182 has a CVSS score of 8.8 (HIGH). CVE-2023-35182 is a remote code execution vulnerability in SolarWinds Access Rights Manager that allows unauthenticated attackers to execute arbitrary code on the ARM server. This affects organizations running vulnerable versions of SolarWinds ARM, potentially compromising the entire server and connected systems.

📋 TL;DR

CVE-2023-35182 is a remote code execution vulnerability in SolarWinds Access Rights Manager that allows unauthenticated attackers to execute arbitrary code on the ARM server. This affects organizations running vulnerable versions of SolarWinds ARM, potentially compromising the entire server and connected systems.

💻 Affected Systems

Products:

SolarWinds Access Rights Manager

Versions: Versions prior to 2023.2.1

Operating Systems: Windows Server (where ARM is typically deployed)

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of affected versions are vulnerable by default. No special configuration required for exploitation.

📦 What is this software?

Access Rights Manager by Solarwinds

View all CVEs affecting Access Rights Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the ARM server leading to domain takeover, credential theft, lateral movement across the network, and deployment of ransomware or other malware.

🟠

Likely Case

Attackers gain initial foothold on the network, install backdoors, steal credentials, and move laterally to other systems.

🟢

If Mitigated

Attack blocked at network perimeter or detected early, limiting impact to isolated security incident requiring investigation.

🌐 Internet-Facing: HIGH - Unauthenticated remote code execution on internet-facing systems allows complete compromise without any credentials.

🏢 Internal Only: HIGH - Even internally, unauthenticated RCE allows attackers who gain network access to compromise the ARM server.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Unauthenticated RCE vulnerabilities in enterprise software are frequently weaponized quickly. While no public PoC exists, threat actors likely have developed exploits.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2023.2.1 or later

Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35182

Restart Required: Yes

Instructions:

1. Download SolarWinds ARM 2023.2.1 or later from the SolarWinds customer portal. 2. Backup current configuration and database. 3. Run the installer with administrative privileges. 4. Restart the ARM service or server as prompted.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to ARM server to only trusted management networks

Configure firewall rules to block all inbound traffic to ARM server except from authorized management IPs

Application Layer Filtering

all

Implement WAF rules to block suspicious requests to ARM endpoints

Add WAF rules to block requests with suspicious patterns to /SolarWinds/ARM/* endpoints

🧯 If You Can't Patch

Immediately isolate the ARM server from internet access and restrict internal network access to only necessary administrative systems
Implement strict monitoring and alerting for suspicious activity on the ARM server, including process creation and network connections

🔍 How to Verify

Check if Vulnerable:

Check ARM version in SolarWinds ARM web interface under Help > About. If version is below 2023.2.1, system is vulnerable.

Check Version:

In ARM web interface: Navigate to Help > About to view version

Verify Fix Applied:

Verify ARM version is 2023.2.1 or higher in Help > About. Test that ARM functionality works normally after update.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from ARM service account
Suspicious PowerShell or command execution events from ARM server
Failed authentication attempts followed by successful exploitation patterns

Network Indicators:

Unusual outbound connections from ARM server to external IPs
Suspicious HTTP requests to ARM web endpoints from unexpected sources

SIEM Query:

source="arm_server" AND (process_name="powershell.exe" OR process_name="cmd.exe") AND user="ARM_Service"

📊 Metadata

CVE ID: CVE-2023-35182

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: October 19, 2023

Last Updated: November 21, 2024

🔗 References

https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm Release Notes,Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35182 Vendor Advisory
https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm Release Notes,Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35182 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35182, you might also want to check these: