CVE-2024-23473
📋 TL;DR
This CVE describes a hard-coded credential vulnerability in SolarWinds Access Rights Manager that allows authentication bypass to the RabbitMQ management console. Attackers can exploit this to gain unauthorized access to messaging services. All systems running vulnerable versions of SolarWinds ARM are affected.
💻 Affected Systems
- SolarWinds Access Rights Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of RabbitMQ messaging infrastructure leading to data exfiltration, service disruption, and lateral movement within the network.
Likely Case
Unauthorized access to RabbitMQ management console allowing message queue manipulation, configuration changes, and potential privilege escalation.
If Mitigated
Limited impact if network segmentation prevents access to RabbitMQ ports and proper authentication controls are in place.
🎯 Exploit Status
Exploitation requires knowledge of hard-coded credentials but is straightforward once obtained. No authentication needed beyond credential use.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2023.2.4
Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23473
Restart Required: Yes
Instructions:
1. Download SolarWinds ARM 2023.2.4 from SolarWinds Customer Portal. 2. Backup current configuration. 3. Run installer with administrative privileges. 4. Restart services as prompted.
🔧 Temporary Workarounds
Network Segmentation
allBlock external and unnecessary internal access to RabbitMQ management port (default 15672)
# Windows Firewall: New-NetFirewallRule -DisplayName "Block RabbitMQ Management" -Direction Inbound -LocalPort 15672 -Protocol TCP -Action Block
# Linux iptables: iptables -A INPUT -p tcp --dport 15672 -j DROP
Credential Rotation
linuxManually change RabbitMQ credentials if immediate patching not possible
rabbitmqctl change_password guest new_secure_password
rabbitmqctl set_permissions -p / guest ".*" ".*" ".*"
🧯 If You Can't Patch
- Implement strict network access controls to RabbitMQ management interface (port 15672)
- Monitor for unauthorized access attempts to RabbitMQ services and review authentication logs
🔍 How to Verify
Check if Vulnerable:
Check SolarWinds ARM version in web interface (Settings > About) or via PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*Access Rights Manager*"} | Select-Object VersionCheck Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*Access Rights Manager*"} | Select-Object VersionVerify Fix Applied:
Verify version is 2023.2.4 or later and test RabbitMQ management console access with old hard-coded credentials (should fail)📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts to RabbitMQ with hard-coded credentials
- Successful logins to RabbitMQ management console from unexpected sources
- Configuration changes to RabbitMQ without authorized change tickets
Network Indicators:
- TCP connections to port 15672 from unauthorized IP addresses
- Unusual RabbitMQ API calls or management interface access patterns
SIEM Query:
source="rabbitmq.log" AND ("authentication failed" OR "Login succeeded") | stats count by src_ip, user🔗 References
- https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-4_release_notes.htm
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23473
- https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-4_release_notes.htm
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23473
