CVE-2024-23474
📋 TL;DR
CVE-2024-23474 is a vulnerability in SolarWinds Access Rights Manager that allows attackers to delete arbitrary files and disclose sensitive information. This affects organizations using vulnerable versions of SolarWinds ARM, potentially leading to data loss and unauthorized access to system information.
💻 Affected Systems
- SolarWinds Access Rights Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files combined with credential disclosure, leading to service disruption and lateral movement.
Likely Case
Unauthorized deletion of application files and disclosure of configuration data, potentially enabling further attacks.
If Mitigated
Limited impact with proper network segmentation and access controls, restricting file operations to non-critical areas.
🎯 Exploit Status
Exploitation requires some knowledge of the application structure but follows predictable patterns common to path traversal vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.3
Vendor Advisory: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm
Restart Required: Yes
Instructions:
1. Download SolarWinds ARM 2024.3 from the SolarWinds customer portal. 2. Run the installer with administrative privileges. 3. Follow the upgrade wizard. 4. Restart the ARM service after installation completes.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to the ARM web interface to trusted IP addresses only.
File System Permissions
windowsApply strict file system permissions to limit what files the ARM service account can access.
icacls "C:\Program Files\SolarWinds\ARM" /deny "ARM_Service_Account":(OI)(CI)(DE,DC)
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the ARM web interface.
- Enable detailed logging and monitor for unusual file deletion or access patterns.
🔍 How to Verify
Check if Vulnerable:
Check the ARM version in the web interface under Help > About. If version is below 2024.3, the system is vulnerable.Check Version:
Not applicable - check via web interface or Windows Programs and FeaturesVerify Fix Applied:
Verify the version shows 2024.3 or higher after patching and test that file operations through the interface are properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in Windows Event Logs
- Multiple failed file access attempts from single source
Network Indicators:
- Unusual HTTP requests to ARM web interface with file path parameters
- Traffic patterns suggesting directory traversal attempts
SIEM Query:
source="windows" event_id="4663" object_name="*SolarWinds*" | stats count by src_ip