CVE-2024-23468
📋 TL;DR
CVE-2024-23468 is a directory traversal vulnerability in SolarWinds Access Rights Manager that allows unauthenticated attackers to delete arbitrary files and access sensitive information. This affects organizations using vulnerable versions of SolarWinds ARM. The vulnerability stems from improper path validation (CWE-22).
💻 Affected Systems
- SolarWinds Access Rights Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, exposure of sensitive configuration data, credentials, and potential lateral movement within the network.
Likely Case
Unauthenticated attackers accessing sensitive information (configuration files, credentials) and deleting application files causing service disruption.
If Mitigated
Limited impact with proper network segmentation, but still potential for information disclosure if accessible.
🎯 Exploit Status
Directory traversal vulnerabilities are typically easy to exploit with simple HTTP requests. The unauthenticated nature makes this particularly dangerous.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.3
Vendor Advisory: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm
Restart Required: Yes
Instructions:
1. Download SolarWinds ARM 2024.3 from the SolarWinds customer portal. 2. Backup current configuration and database. 3. Run the installer with administrative privileges. 4. Restart the ARM service and verify functionality.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to ARM interface to trusted IP addresses only
Configure firewall rules to allow only specific source IPs to access ARM web interface ports
Web Application Firewall
allDeploy WAF with directory traversal protection rules
Configure WAF to block requests containing '../', '..\', and similar path traversal patterns
🧯 If You Can't Patch
- Isolate the ARM server in a restricted network segment with no internet access
- Implement strict network access controls allowing only necessary administrative connections
🔍 How to Verify
Check if Vulnerable:
Check ARM version in web interface (Help > About) or via Windows Programs and Features. If version is earlier than 2024.3, system is vulnerable.Check Version:
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object {$_.DisplayName -like '*Access Rights Manager*'} | Select-Object DisplayName, DisplayVersionVerify Fix Applied:
Verify ARM version shows 2024.3 or later. Test that directory traversal attempts (e.g., requests with '../' patterns) are properly rejected.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../', '..\', or similar traversal patterns in ARM logs
- Unexpected file deletion events in Windows event logs
- Access to sensitive files outside ARM directory
Network Indicators:
- Unusual HTTP requests to ARM web interface from unauthenticated sources
- Patterns of file access attempts outside normal ARM operations
SIEM Query:
source="arm_logs" AND (http_uri="*../*" OR http_uri="*..\\*")