CVE-2024-28990
📋 TL;DR
SolarWinds Access Rights Manager (ARM) contains hard-coded credentials that allow authentication bypass to the RabbitMQ management console. This vulnerability affects all SolarWinds ARM installations using vulnerable versions. Attackers could gain unauthorized access to message queue management functions.
💻 Affected Systems
- SolarWinds Access Rights Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of RabbitMQ management console leading to message queue manipulation, data exposure, and potential lateral movement within the network.
Likely Case
Unauthorized access to RabbitMQ console allowing viewing of sensitive message data and potential disruption of messaging services.
If Mitigated
Limited impact if RabbitMQ console is isolated from sensitive systems and monitored for unauthorized access.
🎯 Exploit Status
Exploitation requires knowledge of the hard-coded credentials and access to the RabbitMQ management interface. No authentication needed once credentials are known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.3.1
Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28990
Restart Required: Yes
Instructions:
1. Download SolarWinds ARM 2024.3.1 from SolarWinds Customer Portal. 2. Run the installer with administrative privileges. 3. Follow the upgrade wizard. 4. Restart ARM services after installation completes.
🔧 Temporary Workarounds
Restrict RabbitMQ Management Console Access
windowsBlock network access to RabbitMQ management console port (default 15672) using firewall rules.
netsh advfirewall firewall add rule name="Block RabbitMQ Console" dir=in action=block protocol=TCP localport=15672
Change RabbitMQ Credentials
linuxManually change RabbitMQ credentials if unable to patch immediately.
rabbitmqctl change_password guest new_secure_password
🧯 If You Can't Patch
- Implement strict network segmentation to isolate RabbitMQ management console from untrusted networks
- Enable detailed logging and monitoring for RabbitMQ management console access attempts
🔍 How to Verify
Check if Vulnerable:
Check ARM version in SolarWinds ARM web interface under Help > About. If version is earlier than 2024.3.1, system is vulnerable.Check Version:
Not applicable - check via ARM web interfaceVerify Fix Applied:
After upgrading to 2024.3.1, verify version in Help > About shows 2024.3.1 or later. Test that hard-coded credentials no longer work for RabbitMQ console access.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts to RabbitMQ console using default credentials
- Successful logins to RabbitMQ console from unexpected IP addresses
Network Indicators:
- TCP connections to port 15672 from unauthorized sources
- HTTP requests to /api/ endpoints on RabbitMQ management port
SIEM Query:
source="rabbitmq.log" AND (event="authentication failure" OR event="login succeeded")