CVE-2024-23469
📋 TL;DR
SolarWinds Access Rights Manager (ARM) has a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges. This affects all organizations running vulnerable versions of SolarWinds ARM. The vulnerability stems from improper input validation (CWE-20) that can be exploited remotely.
💻 Affected Systems
- SolarWinds Access Rights Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing attackers to install malware, steal credentials, pivot to other systems, and maintain persistent access to the network.
Likely Case
Initial access leading to ransomware deployment, data exfiltration, or lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation, EDR solutions, and least privilege principles are implemented, though exploitation would still grant SYSTEM access on the ARM server.
🎯 Exploit Status
The vulnerability allows unauthenticated remote code execution, making it highly attractive to attackers. No public exploit code has been confirmed as of the provided information.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.3
Vendor Advisory: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm
Restart Required: Yes
Instructions:
1. Download SolarWinds ARM 2024.3 from the SolarWinds customer portal. 2. Backup current ARM configuration and database. 3. Run the installer with administrative privileges. 4. Follow the upgrade wizard. 5. Restart the ARM service or server as required.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to SolarWinds ARM servers to only trusted administrative networks
Firewall Rules
windowsImplement strict firewall rules to limit inbound connections to ARM servers
netsh advfirewall firewall add rule name="Block ARM External" dir=in action=block protocol=TCP localport=17778,17779 remoteip=any
🧯 If You Can't Patch
- Isolate the ARM server from internet access and restrict internal network access to only necessary administrative systems
- Implement application allowlisting and EDR solutions to detect and prevent unauthorized code execution
🔍 How to Verify
Check if Vulnerable:
Check the ARM version in the SolarWinds ARM web interface under Help > About. If version is below 2024.3, the system is vulnerable.Check Version:
Not applicable - version check must be performed through the ARM web interfaceVerify Fix Applied:
After patching, verify the version shows 2024.3 or higher in the ARM interface and test that the ARM service is functioning normally.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation events from the ARM service
- Failed authentication attempts followed by successful exploitation
- Windows Event Log entries showing unexpected SYSTEM privilege usage
Network Indicators:
- Unusual outbound connections from ARM server
- Traffic to known malicious IPs from ARM server
- Unexpected network scanning originating from ARM server
SIEM Query:
source="windows" AND (process_name="cmd.exe" OR process_name="powershell.exe") AND parent_process="SolarWinds.ARM.Service.exe"