SolarWinds Access Rights Manag... Note

SolarWinds Access Rights Manager: One Vulnerability to LPE Them All

The SolarWinds Access Rights Manager product was found to have multiple vulnerabilities, including pre-auth remote code execution and file deletion vulnerabilities. A researcher discovered 18 vulnerabilities in the product, including pre-auth file deletion vulnerabilities that can be used to escalate privileges on domain-joined Windows machines. The vulnerabilities were addressed by the vendor with the ARM 2024.3 update. The researcher found that the product operates using a domain account, which can be a highly privileged service account or a Domain Admin account. The pre-auth file deletion vulnerabilities can be used to remove files remotely as a highly privileged domain account. The researcher demonstrated how the file deletion vulnerability can be used to escalate privileges on any Windows machine that is joined to the domain. The vulnerability can be exploited by providing a UNC path to the File.Delete method, which allows the attacker to remove files remotely as an admin. The researcher also demonstrated how the vulnerability can be used to escalate privileges on a machine that is not running SolarWinds ARM. The attacker can use the file deletion vulnerability to remove a file from a machine they control, which allows them to discover the name of the SolarWinds ARM AD account. The researcher concluded that the file deletion vulnerability can have a significant impact on the security of the entire Active Directory domain. The vulnerability can be used to escalate privileges on any Windows domain-joined machine, even those on which SolarWinds ARM is not installed. The researcher recommended that all users of SolarWinds ARM test and deploy the ARM 2024.3 update as soon as possible to address the vulnerabilities. The researcher also provided a demo of the exploit and encouraged users to follow them on social media for the latest in exploit techniques and security patches.