CVE-2024-23479
📋 TL;DR
SolarWinds Access Rights Manager (ARM) contains a directory traversal vulnerability that allows unauthenticated attackers to execute arbitrary code remotely. This affects all organizations running vulnerable versions of SolarWinds ARM, potentially giving attackers full control over affected systems.
💻 Affected Systems
- SolarWinds Access Rights Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, steal credentials, pivot to other systems, and maintain persistent access to the network.
Likely Case
Initial foothold leading to ransomware deployment, data exfiltration, or lateral movement within the network.
If Mitigated
Limited impact if system is isolated, monitored, and has proper security controls, though still represents significant risk.
🎯 Exploit Status
Unauthenticated RCE with directory traversal typically has low exploitation complexity. While no public PoC exists, similar vulnerabilities are often weaponized quickly.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.1 or later
Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23479
Restart Required: Yes
Instructions:
1. Download SolarWinds ARM 2024.1 or later from the SolarWinds customer portal. 2. Backup current configuration and database. 3. Run the installer with administrative privileges. 4. Restart the ARM service and verify functionality.
🔧 Temporary Workarounds
Network Segmentation
allIsolate SolarWinds ARM from internet and restrict internal network access
Web Application Firewall Rules
allBlock directory traversal patterns and suspicious file operations
🧯 If You Can't Patch
- Immediately isolate the SolarWinds ARM server from all network access
- Implement strict network segmentation and monitor for any suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check SolarWinds ARM version in the web interface under Help > About or via Windows Programs and FeaturesCheck Version:
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object {$_.DisplayName -like "*SolarWinds Access Rights Manager*"} | Select-Object DisplayName, DisplayVersionVerify Fix Applied:
Verify version is 2024.1 or later and test directory traversal attempts are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual file path access patterns in web logs
- Unexpected process creation from ARM service
- Failed authentication attempts followed by successful exploitation
Network Indicators:
- Unusual outbound connections from ARM server
- Suspicious file transfer patterns
- Anomalous HTTP requests with path traversal sequences
SIEM Query:
source="solarwinds-arm" AND (uri="*../*" OR uri="*..\\*" OR process="*cmd*" OR process="*powershell*")