CVE-2024-28991
📋 TL;DR
SolarWinds Access Rights Manager (ARM) contains a deserialization vulnerability (CWE-502) that allows authenticated users to execute arbitrary code remotely. This affects organizations using vulnerable versions of SolarWinds ARM. Attackers could gain full control of affected systems.
💻 Affected Systems
- SolarWinds Access Rights Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, steal credentials, pivot to other systems, and maintain persistent access.
Likely Case
Attackers gain administrative privileges on the ARM server, potentially accessing sensitive Active Directory information and using it for lateral movement.
If Mitigated
Limited impact if proper network segmentation, authentication controls, and monitoring are in place to detect exploitation attempts.
🎯 Exploit Status
Requires authenticated access but exploitation appears straightforward once authentication is obtained. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.3.1
Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28991
Restart Required: Yes
Instructions:
1. Download SolarWinds ARM 2024.3.1 from the SolarWinds customer portal. 2. Backup current configuration and database. 3. Run the installer with administrative privileges. 4. Restart the ARM service and verify functionality.
🔧 Temporary Workarounds
Restrict Network Access
allLimit access to ARM web interface to only trusted administrative networks
Configure firewall rules to restrict access to ARM ports (default 17778)
Enforce Strong Authentication
windowsImplement multi-factor authentication and strong password policies for ARM accounts
Enable MFA in ARM settings and enforce complex passwords
🧯 If You Can't Patch
- Isolate ARM server in a dedicated network segment with strict access controls
- Implement application allowlisting to prevent execution of unauthorized binaries
🔍 How to Verify
Check if Vulnerable:
Check ARM version in web interface under Help > About or via Windows Programs and FeaturesCheck Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Access Rights Manager*'} | Select-Object Name, VersionVerify Fix Applied:
Verify version shows 2024.3.1 or later and test ARM functionality📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from ARM service
- Suspicious network connections from ARM server
- Failed authentication attempts followed by successful login
Network Indicators:
- Unusual outbound connections from ARM server
- Traffic to suspicious IPs/domains from ARM server
SIEM Query:
source="ARM_Logs" AND (event_type="process_creation" AND process_name NOT IN ("arm_service.exe", "normal_processes")) OR (event_type="network_connection" AND dest_ip NOT IN ("trusted_ips"))