SolarWinds left hardcoded credentials in its Web Help Desk product that can be used by remote, unauthenticated attackers to log into vulnerable instances, access internal functionality, and modify sensitive data
The software maker has now issued an update to address that critical oversight; users are encouraged to install the fix, which presumably removes the baked-in creds.
The security blunder, tracked as CVE-2024-28987, received a 9.1-out-of-10 CVSS severity rating. It affects Web Help Desk 12.8.3 HF1 and all previous versions, and has been fixed in 12.8.3 HF2. The hotfix patch, issued yesterday, has to be manually installed.
WHD is SolarWinds' IT help desk ticketing and asset management software, and its website boasts testimonials from customers in government, education, healthcare, nonprofit, and telecommunications sectors.
Considering the severity of the bug, the customer base that SolarWinds has across government and enterprise clients, and the fact that the flaw is due to hardcoded credentials, we suspect criminals are already scanning for at-risk systems that are at least accessible from the public internet. So it's a good idea to prioritize this one ASAP before we've got another, well, SolarWinds on our hands.
Yes, we're talking about the same supplier that had a backdoor silently added to its IT monitoring suite Orion by Russian spies so that the snoops could then infiltrate SolarWinds' customer networks including US government departments.
The software maker did not immediately respond to The Register's inquiries about the CVE and whether it is under active attack.
- RansomHub-linked EDR-killing malware spotted in the wild
- Judge mostly drags SEC's lawsuit against SolarWinds into the recycling bin
- US nuke agency hacked by suspected Russian SolarWinds spies, Microsoft also gets backdoored
- You probably want to patch this critical GitHub Enterprise Server bug now
Zach Hanley, a vulnerability researcher at Horizon3.ai, found and disclosed the flaw to SolarWinds on Friday and has promised to release more details about the bug next month.
Hanley also urged orgs to install the hotfix as soon as possible. He noted that upon applying the patch, "requests to non-existent pages on patched instances will return no content / content-length 0."
This latest emergency patch comes about a week after CISA added a different critical WHD flaw to its Known Exploited Vulnerabilities catalog. This one, tracked as CVE-2024-28986, is a Java deserialization remote code execution vulnerability that, if exploited, allows an attacker to run commands on the host machine.
It earned a 9.8 CVSS score, and it's unclear who is exploiting this vulnerability. CISA says it's "unknown" whether this CVE is being used in ransomware campaigns. ®