SolarWinds left critical hardcoded credentials in its Web Help Desk product
- Reference: 1724366176
- News link: https://www.theregister.co.uk/2024/08/22/hardcoded_credentials_bug_solarwinds_whd/
- Source link:
The software maker has now issued an update to address that critical oversight; its users are encouraged to install the fix, which presumably removes the baked-in creds.
The security blunder, tracked as [1]CVE-2024-28987 , received a 9.1-out-of-10 CVSS severity rating. It affects Web Help Desk 12.8.3 HF1 and all previous versions, and has been fixed in 12.8.3 HF2. The [2]hotfix patch , issued yesterday, has to be manually installed.
[3]
WHD is SolarWinds' IT help desk ticketing and asset management software, and its website boasts testimonials from customers in government, education, healthcare, nonprofit, and telecommunications sectors.
[4]
[5]
Considering the severity of the bug, the customer base that SolarWinds has across government and enterprise clients, and the fact that the flaw is due to hardcoded credentials, we suspect criminals are already scanning for at-risk systems that are at least accessible from the public internet. So it's a good idea to prioritize this one ASAP before we've got another, well, [6]SolarWinds on our hands.
Yes, we're talking about the same supplier that had a [7]backdoor silently added to its IT monitoring suite Orion by Russian spies so that the snoops could then infiltrate SolarWinds' customer networks including US government departments.
[8]
The software maker did not immediately respond to The Register 's inquiries about the CVE and whether it is under active attack.
[9]RansomHub-linked EDR-killing malware spotted in the wild
[10]Judge mostly drags SEC's lawsuit against SolarWinds into the recycling bin
[11]US nuke agency hacked by suspected Russian SolarWinds spies, Microsoft also gets backdoored
[12]You probably want to patch this critical GitHub Enterprise Server bug now
Zach Hanley, a vulnerability researcher at Horizon3.ai, found and disclosed the flaw to SolarWinds on Friday and has [13]promised to release more details about the bug next month.
Hanley also urged orgs to install the hotfix as soon as possible. He [14]noted that upon applying the patch, "requests to non-existent pages on patched instances will return no content / content-length 0."
This latest emergency patch comes about a week after CISA added a different [15]critical WHD flaw to its [16]Known Exploited Vulnerabilities catalog. This one, tracked as [17]CVE-2024-28986 , is a Java deserialization remote code execution vulnerability that, if exploited, allows an attacker to run commands on the host machine.
It earned a 9.8 CVSS score, and it's unclear who is exploiting this vulnerability. CISA says it's "unknown" whether this CVE is being used in ransomware campaigns. ®
Get our [18]Tech Resources
[1] https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987
[2] https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZsgJagyKk6Q5QOr4FRF3ogAAAEU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZsgJagyKk6Q5QOr4FRF3ogAAAEU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZsgJagyKk6Q5QOr4FRF3ogAAAEU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2020/12/18/solarwinds_nnsa_microsoft_cisa/
[7] https://www.theregister.com/2020/12/15/solar_winds_update/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZsgJagyKk6Q5QOr4FRF3ogAAAEU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2024/08/19/ransomhub_edrkilling_malware/
[10] https://www.theregister.com/2024/07/18/sec_solarwinds_lawsuit/
[11] https://www.theregister.com/2020/12/18/solarwinds_nnsa_microsoft_cisa/
[12] https://www.theregister.com/2024/08/21/patch_github_enterprise_bug/
[13] https://x.com/hacks_zach/status/1826570157705089036
[14] https://x.com/hacks_zach/status/1826570157705089036
[15] https://www.theregister.com/2024/08/19/ransomhub_edrkilling_malware/
[16] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[17] https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28986
[18] https://whitepapers.theregister.com/
And how many organizations are going to pull their off-line backups to fix this?
I'll take any wagers over 0.
Anyone know how hard it is to process many daily/weekly/monthly/yearly backups and selectively update one or more files on these?
I'm guessing everybody is going to say "Well they are in a vault and encrypted. And we'll probably never have to do a real disaster recovery."
(Says those who have never really had to roll-back full systems.)
which presumably removes the baked-in creds .
Emphasis on the word "presumably".
It ain't over `til the fat lady sings.
Security software blunders and the State Security Apparatus
“ Why go to the effort of backdooring code when devs will basically do it for you accidentally anyway ”
Given the ubiquity of such security software blunders, I suspect these are the backdoors. The clue is in the following quote:
“ the customer base that SolarWinds has across government and enterprise clients ”
With all your stuff now in “The Cloud”, they now have [1]Total Information Awareness .
[1] https://en.wikipedia.org/wiki/Total_Information_Awareness
Hot fix has to be manually installed
> users are encouraged to install the fix, which presumably removes the baked-in creds.
Guessing the start of these special manual hot fix instructions begins with "Step 1: do *not" take a backup copy".
> It affects Web Help Desk 12.8.3 HF1 and all previous versions
And the final step is "Now delete all your previous backups".