HC3 Urges Healthcare Sector to Update SolarWinds Following Vulnerability Disclosure

October 27, 2023 - The Health Sector Cybersecurity Coordination Center (HC3) urged the sector to prioritize monitoring and upgrading SolarWinds systems following a series of cybersecurity vulnerability disclosures.

SolarWinds recently released security fixes for eight vulnerabilities found in its Access Rights Manager (ARM). The ARM software is “designed to help security administrators provision, deprovision, manage, and audit user access rights to systems, data, and files,” HC3 noted.

Three of the eight vulnerabilities were rated as critical and could lead to remote code execution, enabling hackers to obtain the highest level of privileges.

HC3 strongly encouraged healthcare organizations to take note of these vulnerabilities “due to the previous malicious targeting and wide use of SolarWinds.”

The three critical vulnerabilities, known as CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187, all result from a lack of proper validation of a user-supplied path and may allow hackers to execute arbitrary code.

"SolarWinds has developed a patch for these issues and communicated with customers about the steps needed to apply the fix to harden their environments," SolarWinds stated. "We are not aware of any evidence that any of these vulnerabilities have been exploited."

As previously reported, threat actors conducted a sophisticated supply chain attack via the SolarWinds Orion IT monitoring software in 2020. Threat actors were able to distribute SUNBURST malware and impact less than 100 organizations, including federal agencies and private sector organizations.

“Supply chain attacks have the potential to cause serious damage after their initial compromise, because these malicious updates can be pushed downstream from a trusted source to many customers,” HC3 noted.

Considering this recent history, and the fact that healthcare organizations may use the SolarWinds ARM software to aid in compliance with HIPAA, it is critical that organizations take action to mitigate the risk of the latest vulnerabilities.

HC3 urged SolarWinds ARM users in the healthcare sector to follow guidance provided by SolarWinds and upgrade their systems to the most current version.

Editor's note: This article has been updated to include a statement from SolarWinds and to reflect the number of entities impacted in the 2020 incident.