CVE-2024-28992
📋 TL;DR
CVE-2024-28992 is a directory traversal and information disclosure vulnerability in SolarWinds Access Rights Manager that allows unauthenticated attackers to delete arbitrary files and access sensitive information. This affects organizations using vulnerable versions of SolarWinds ARM. The vulnerability stems from improper authentication (CWE-287).
💻 Affected Systems
- SolarWinds Access Rights Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, exposure of sensitive configuration data, credentials, and potential lateral movement within the network.
Likely Case
Unauthorized access to sensitive information including configuration files, logs, and credentials, potentially leading to privilege escalation or data exfiltration.
If Mitigated
Limited impact with proper network segmentation, strong authentication controls, and monitoring in place to detect unauthorized access attempts.
🎯 Exploit Status
Directory traversal vulnerabilities typically have low exploitation complexity, especially with unauthenticated access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.3
Vendor Advisory: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm
Restart Required: Yes
Instructions:
1. Download SolarWinds ARM 2024.3 from SolarWinds customer portal. 2. Backup current configuration and database. 3. Run the installer with administrative privileges. 4. Follow upgrade wizard. 5. Restart the ARM service and verify functionality.
🔧 Temporary Workarounds
Network Access Restriction
windowsRestrict network access to ARM instances to only trusted IP addresses and networks
Use Windows Firewall or network ACLs to restrict access to ARM ports (default 17778)
Application Layer Filtering
allImplement WAF rules to block directory traversal patterns
Add WAF rule: ^.*(\.\./|\.\.\\)
🧯 If You Can't Patch
- Isolate ARM instances in a dedicated network segment with strict access controls
- Implement comprehensive monitoring and alerting for file access and deletion attempts
🔍 How to Verify
Check if Vulnerable:
Check ARM version in web interface (Admin → About) or via PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Access Rights Manager*'} | Select-Object Name, VersionCheck Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Access Rights Manager*'} | Select-Object VersionVerify Fix Applied:
Verify version is 2024.3 or later using same methods, and test that directory traversal attempts are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in ARM logs
- Failed authentication attempts followed by file operations
- Log entries containing '../' or '..\' patterns
Network Indicators:
- Unusual HTTP requests with directory traversal patterns to ARM ports
- Multiple file deletion requests from single source
SIEM Query:
source="arm_logs" AND ("../" OR "..\\" OR "%2e%2e%2f" OR "%2e%2e%5c")