iTnews Asia
  • Home
  • News
  • Security

SolarWinds patches three critical bugs

SolarWinds patches three critical bugs

Zero Day Initiative discovered five RCEs.

By Richard Chirgwin on Feb 19, 2024 10:13AM

SolarWinds has patched five remote code execution (RCE) vulnerabilities in its Access Rights Manager software, three of which are rated critical.

The bugs were discovered and reported by Trend Micro’s Zero Day Initiative (ZDI).

The software lets users manage and audit access to Microsoft resources like Active Directory, Azure Active Directory, Exchange, SharePoint, OneDrive, and file servers.

According to SolarWinds’ advisory, CVE-2023-40057 is a bug in how the software handles deserialisation of untrusted data.

“If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution,” the advisory said.

The other two critical bugs are CVE-2024-23476 and CVE-2024-23479. Both are directory traversal bugs, and are exploitable by unauthenticated attackers.

Two more bugs reported through ZDI, with a “high” severity rating, are CVE-2024-23477 (a directory traversal bug) and CVE-2024-23478 (a deserialisation bug).

The vulnerabilities are patched in Access Rights Manager 2023.2.3.

In a separate advisory, SolarWinds also disclosed two high-rated bugs in its Orion Platform, also discovered by ZDI.

CVE-2023-50395 and CVE-2023-35188 are both SQL injection bugs affecting an update statement and a create statement, respectively.

SolarWinds said the two bugs can only be exploited by an authenticated user, and consequently have not been seen in the wild.

Access Rights Manager last needed patching against RCEs in October last year.

SolarWinds famously suffered a major attack in 2020, reaching high-profile customers such as Microsoft.

To reach the editorial team on your feedback, story ideas and pitches, contact them here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
security solarwinds

Related Articles

  • Proofpoint CEO: A tool-based approach for cybersecurity is impractical
  • Akamai: AI-security is both a security imperative and an economic necessity
  • The real-life Tom & Jerry chase
  • How can we bolster our resilience against AI-enabled e-mail attacks?
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Proofpoint CEO: A tool-based approach for cybersecurity is impractical

Proofpoint CEO: A tool-based approach for cybersecurity is impractical

The real-life Tom & Jerry chase

The real-life Tom & Jerry chase

How can we bolster our resilience against AI-enabled e-mail attacks?

How can we bolster our resilience against AI-enabled e-mail attacks?

Akamai: AI-security is both a security imperative and an economic necessity

Akamai: AI-security is both a security imperative and an economic necessity

All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of Lighthouse Independent Media's Privacy Policy and Terms & Conditions.