[CDP-development] TLP:GREEN (Zero-Day Alert Notification) Eight total Zero-Day vulnerabilities discovered in the SolarWinds ARM tool

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Mon Oct 23 10:04:03 PDT 2023 

Good morning,

The SOC Services team is reporting on the vulnerabilities: Multiple CVE Zero-Day: Eight total vulnerabilities discovered in the SolarWinds ARM tool.  Due to its high visibility, knowledge of the appliances in the state environment, and potential for exploitation, we are providing this in-depth information:

History: On June 22, 2023, eight zero-day vulnerabilities were reported by SolarWinds, three of them with critical severity. On October 18, 2023, SolarWinds released patch 2023.2.1 for the vulnerabilities.

Critical vulnerabilities:
CVE-2023-35182 - SolarWinds ARM Deserialization of Untrusted Data Remote Code Execution Vulnerability
CVE-2023-35185 - SolarWinds Access Rights Manager Directory Traversal Remote Code Execution Vulnerability
CVE-2023-35187 - SolarWinds Access Rights Manager Directory Traversal Remote Code Execution Vulnerability

High vulnerabilities:
CVE-2023-35180 - SolarWinds Access Rights Manager Deserialization of Untrusted Data Remote Code Execution Vulnerability
CVE-2023-35184 - SolarWinds ARM Deserialization of Untrusted Data Remote Code Execution Vulnerability
CVE-2023-35186 - SolarWinds ARM Deserialization of Untrusted Data Remote Code Execution Vulnerability
CVE-2023-35181 - SolarWinds Access Rights Manager Incorrect Default Permissions Local Privilege Escalation Vulnerability
CVE-2023-35183 - SolarWinds Access Rights Manager Incorrect Default Permissions Local Privilege Escalation Vulnerability

Patched Version:
SolarWinds ARM 2023.2.1

Intelligence: As of October 23, 2023, the vulnerabilities have not been confirmed as being exploited in the wild.

Workarounds: There are no workarounds at this time.

How it works:

CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187: Due to a lack of proper validation for the methods createGlobalServerChannelInternal, OpenFile, and OpenClientUpdateFile, respectively, could enable attackers to run arbitrary code at the SYSTEM level.

CVE-2023-35180, CVE-2023-35184, and CVE-2023-35186: Allows users to abuse a SolarWinds service, or its ARM API, to perform RCE.

CVE-2023-35181 and CVE-2023-35183: allow unauthorized users to abuse local resources and incorrect folder permissions to perform local privilege escalation

Post-Exploit: Details for each vulnerability are found below:

CVE-2023-35182 - The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability can be abused by unauthenticated users on SolarWinds ARM Server.
CVE-2023-35185 - The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability using SYSTEM privileges.
CVE-2023-35187 - The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability using SYSTEM privileges.
CVE-2023-35180 - The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows authenticated users to abuse SolarWinds ARM API.
CVE-2023-35184 - The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse a SolarWinds service resulting in a remote code execution.
CVE-2023-35186 - The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution.
CVE-2023-35181 - The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows users to abuse incorrect folder permission resulting in Privilege Escalation.
CVE-2023-35183 - The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows authenticated users to abuse local resources to Privilege Escalation.

As of October 23, 2023, Tenable has not released any plugins for the vulnerabilities and does not have any plugins in the pipeline.
Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01DA058C.3CF6F9B0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231023/196c7269/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231023/196c7269/attachment-0001.png>

More information about the CDP-development mailing list