News: 1724366176

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

SolarWinds left critical hardcoded credentials in its Web Help Desk product

(2024/08/23)


SolarWinds left hardcoded credentials in its Web Help Desk product that can be used by remote, unauthenticated attackers to log into vulnerable instances, access internal functionality, and modify sensitive data

The software maker has now issued an update to address that critical oversight; its users are encouraged to install the fix, which presumably removes the baked-in creds.

The security blunder, tracked as [1]CVE-2024-28987 , received a 9.1-out-of-10 CVSS severity rating. It affects Web Help Desk 12.8.3 HF1 and all previous versions, and has been fixed in 12.8.3 HF2. The [2]hotfix patch , issued yesterday, has to be manually installed.

[3]

WHD is SolarWinds' IT help desk ticketing and asset management software, and its website boasts testimonials from customers in government, education, healthcare, nonprofit, and telecommunications sectors.

[4]

[5]

Considering the severity of the bug, the customer base that SolarWinds has across government and enterprise clients, and the fact that the flaw is due to hardcoded credentials, we suspect criminals are already scanning for at-risk systems that are at least accessible from the public internet. So it's a good idea to prioritize this one ASAP before we've got another, well, [6]SolarWinds on our hands.

Yes, we're talking about the same supplier that had a [7]backdoor silently added to its IT monitoring suite Orion by Russian spies so that the snoops could then infiltrate SolarWinds' customer networks including US government departments.

[8]

The software maker did not immediately respond to The Register 's inquiries about the CVE and whether it is under active attack.

[9]RansomHub-linked EDR-killing malware spotted in the wild

[10]Judge mostly drags SEC's lawsuit against SolarWinds into the recycling bin

[11]US nuke agency hacked by suspected Russian SolarWinds spies, Microsoft also gets backdoored

[12]You probably want to patch this critical GitHub Enterprise Server bug now

Zach Hanley, a vulnerability researcher at Horizon3.ai, found and disclosed the flaw to SolarWinds on Friday and has [13]promised to release more details about the bug next month.

Hanley also urged orgs to install the hotfix as soon as possible. He [14]noted that upon applying the patch, "requests to non-existent pages on patched instances will return no content / content-length 0."

This latest emergency patch comes about a week after CISA added a different [15]critical WHD flaw to its [16]Known Exploited Vulnerabilities catalog. This one, tracked as [17]CVE-2024-28986 , is a Java deserialization remote code execution vulnerability that, if exploited, allows an attacker to run commands on the host machine.

It earned a 9.8 CVSS score, and it's unclear who is exploiting this vulnerability. CISA says it's "unknown" whether this CVE is being used in ransomware campaigns. ®

Get our [18]Tech Resources



[1] https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987

[2] https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZsgJagyKk6Q5QOr4FRF3ogAAAEU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZsgJagyKk6Q5QOr4FRF3ogAAAEU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZsgJagyKk6Q5QOr4FRF3ogAAAEU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://www.theregister.com/2020/12/18/solarwinds_nnsa_microsoft_cisa/

[7] https://www.theregister.com/2020/12/15/solar_winds_update/

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZsgJagyKk6Q5QOr4FRF3ogAAAEU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[9] https://www.theregister.com/2024/08/19/ransomhub_edrkilling_malware/

[10] https://www.theregister.com/2024/07/18/sec_solarwinds_lawsuit/

[11] https://www.theregister.com/2020/12/18/solarwinds_nnsa_microsoft_cisa/

[12] https://www.theregister.com/2024/08/21/patch_github_enterprise_bug/

[13] https://x.com/hacks_zach/status/1826570157705089036

[14] https://x.com/hacks_zach/status/1826570157705089036

[15] https://www.theregister.com/2024/08/19/ransomhub_edrkilling_malware/

[16] https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[17] https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28986

[18] https://whitepapers.theregister.com/



Hot fix has to be manually installed

that one in the corner

> users are encouraged to install the fix, which presumably removes the baked-in creds.

Guessing the start of these special manual hot fix instructions begins with "Step 1: do *not" take a backup copy".

> It affects Web Help Desk 12.8.3 HF1 and all previous versions

And the final step is "Now delete all your previous backups".

And how many organizations are going to pull their off-line backups to fix this?

elDog

I'll take any wagers over 0.

Anyone know how hard it is to process many daily/weekly/monthly/yearly backups and selectively update one or more files on these?

I'm guessing everybody is going to say "Well they are in a vault and encrypted. And we'll probably never have to do a real disaster recovery."

(Says those who have never really had to roll-back full systems.)

sanmigueelbeer

which presumably removes the baked-in creds .

Emphasis on the word "presumably".

It ain't over `til the fat lady sings.

Security software blunders and the State Security Apparatus

t245t

“ Why go to the effort of backdooring code when devs will basically do it for you accidentally anyway ”

Given the ubiquity of such security software blunders, I suspect these are the backdoors. The clue is in the following quote:

“ the customer base that SolarWinds has across government and enterprise clients ”

With all your stuff now in “The Cloud”, they now have [1]Total Information Awareness .

[1] https://en.wikipedia.org/wiki/Total_Information_Awareness

philosophy:
The ability to bear with calmness the misfortunes of our friends.