CVE-2024-23478 – SolarWinds Access Rights Manager (ARM) contains... (How to Fix)

Q: What is the severity of CVE-2024-23478?

CVE-2024-23478 has a CVSS score of 8.0 (HIGH). SolarWinds Access Rights Manager (ARM) contains a deserialization vulnerability that allows authenticated users to execute arbitrary code remotely. This affects organizations using vulnerable versions of SolarWinds ARM. Attackers could gain full control of affected systems.

📋 TL;DR

SolarWinds Access Rights Manager (ARM) contains a deserialization vulnerability that allows authenticated users to execute arbitrary code remotely. This affects organizations using vulnerable versions of SolarWinds ARM. Attackers could gain full control of affected systems.

💻 Affected Systems

Products:

SolarWinds Access Rights Manager

Versions: Versions prior to 2024.1

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the SolarWinds ARM web interface.

📦 What is this software?

Access Rights Manager by Solarwinds

View all CVEs affecting Access Rights Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, lateral movement, and persistent backdoor installation across the network.

🟠

Likely Case

Privilege escalation leading to domain admin access, credential harvesting, and deployment of ransomware or other malware.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and monitoring are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024.1 or later

Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23478

Restart Required: Yes

Instructions:

1. Download SolarWinds ARM 2024.1 or later from the SolarWinds customer portal. 2. Backup current configuration. 3. Run the installer with administrative privileges. 4. Restart the SolarWinds ARM service.

🔧 Temporary Workarounds

Restrict Network Access

all

Limit access to SolarWinds ARM interface to trusted IP addresses only.

Configure firewall rules to restrict access to SolarWinds ARM ports (default 17778)

Enforce Strong Authentication

all

Implement multi-factor authentication and strong password policies for all SolarWinds ARM accounts.

🧯 If You Can't Patch

Isolate SolarWinds ARM server in a dedicated VLAN with strict network segmentation
Implement application allowlisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check SolarWinds ARM version in the web interface under Help > About.

Check Version:

Check web interface or registry key: HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Access Rights Manager\Version

Verify Fix Applied:

Verify version is 2024.1 or later and check for successful patch installation logs.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from SolarWinds ARM service
Failed authentication attempts followed by successful login
Unusual network connections from ARM server

Network Indicators:

Outbound connections from ARM server to unusual destinations
Unusual port activity on ARM server

SIEM Query:

source="solarwinds-arm" AND (event_type="process_creation" OR event_type="network_connection")

📊 Metadata

CVE ID: CVE-2024-23478

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: February 15, 2024

Last Updated: November 21, 2024

🔗 References

https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23478 Patch,Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23478 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23478, you might also want to check these: