CVE-2024-23479: SolarWinds Access Rights Manager RCE Flaw

CVE-2024-23479 Overview

SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. This critical security flaw allows an unauthenticated attacker on an adjacent network to achieve Remote Code Execution on vulnerable systems. The vulnerability stems from improper path validation, enabling attackers to traverse directory structures and execute arbitrary code without requiring any authentication.

Critical Impact

Unauthenticated attackers can achieve remote code execution through directory traversal, potentially gaining complete control over affected SolarWinds Access Rights Manager installations.

Affected Products

• SolarWinds Access Rights Manager (all versions prior to patched release)
• Organizations using ARM for access rights management and auditing
• Enterprise environments with ARM deployed for compliance monitoring

Discovery Timeline

• February 15, 2024 - CVE-2024-23479 published to NVD
• November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2024-23479

Vulnerability Analysis

This vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The flaw exists in how SolarWinds Access Rights Manager handles user-supplied input when processing file path requests. Due to insufficient validation and sanitization of path parameters, an attacker can manipulate input to escape the intended directory structure.

The vulnerability is particularly severe because it can be exploited by unauthenticated users from an adjacent network. Once directory traversal is achieved, the attacker can leverage this access to execute arbitrary code on the target system, potentially compromising the entire ARM deployment and any connected systems it manages.

Root Cause

The root cause of CVE-2024-23479 lies in inadequate input validation within the Access Rights Manager application. Specifically, the application fails to properly sanitize user-controlled path inputs, allowing sequences such as ../ or similar path traversal characters to escape the application's intended directory boundaries. This lack of proper path canonicalization and validation enables attackers to access files and directories outside the authorized scope.

Attack Vector

The attack vector for this vulnerability is through the adjacent network (AV:A), meaning the attacker must be on the same network segment or have some form of adjacent network access to the vulnerable ARM installation. The attack requires no user interaction and can be executed without any privileges or authentication.

An attacker would craft malicious requests containing directory traversal sequences to navigate outside the intended directory structure. By targeting specific system files or uploading malicious payloads to executable locations, the attacker can achieve remote code execution. The changed scope (S:C) indicates that successful exploitation can impact resources beyond the vulnerable component itself.

For detailed technical information about this vulnerability, refer to the SolarWinds Security Advisory CVE-2024-23479.

Detection Methods for CVE-2024-23479

Indicators of Compromise

• Unusual file access patterns in ARM logs showing attempts to access files outside normal application directories
• HTTP/HTTPS requests containing path traversal sequences such as ../, ..\\, or URL-encoded variants like %2e%2e%2f
• Unexpected processes spawned by the ARM application service
• New or modified files in system directories that should not be written to by the ARM application

Detection Strategies

• Monitor network traffic to ARM servers for requests containing directory traversal patterns or encoded path manipulation sequences
• Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized modifications
• Review ARM application logs for access attempts to files outside the application's web root or data directories
• Deploy SentinelOne Singularity to detect and prevent unauthorized code execution attempts on systems running ARM

Monitoring Recommendations

• Configure SIEM rules to alert on path traversal patterns in web server logs associated with ARM installations
• Enable detailed logging on ARM servers and forward logs to centralized security monitoring
• Implement network segmentation monitoring to detect lateral movement attempts following potential exploitation
• Use endpoint detection and response (EDR) solutions to monitor for post-exploitation behaviors

How to Mitigate CVE-2024-23479

Immediate Actions Required

• Apply the security patch from SolarWinds immediately to all Access Rights Manager installations
• Restrict network access to ARM servers to only authorized administrative networks
• Implement network segmentation to limit adjacent network attack surface
• Review ARM server logs for any signs of exploitation attempts prior to patching

Patch Information

SolarWinds has released a security update to address this vulnerability. Organizations should consult the SolarWinds Security Advisory CVE-2024-23479 for detailed patch information and upgrade instructions. It is critical to apply the patch as soon as possible given the unauthenticated nature of this remote code execution vulnerability.

Workarounds

• Implement strict network access controls to limit which systems can communicate with ARM servers
• Deploy web application firewalls (WAF) configured to block path traversal patterns in requests to ARM
• Consider temporarily isolating ARM servers from the network until patches can be applied if immediate patching is not feasible
• Enable enhanced logging and monitoring on ARM servers to detect exploitation attempts

# Example: Network access restriction using firewall rules
# Restrict ARM server access to only management network segment
# Replace with your specific network configuration
iptables -A INPUT -p tcp --dport 443 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP