Critical Vulnerabilities in SolarWinds Web Help Desk and the Essential Hotfixes

SolarWinds’ Web Help Desk, a widely used IT management software, recently faced severe security challenges. These vulnerabilities, if left unpatched, could expose organizations to significant risks. The latest updates have addressed these flaws, but understanding their impact and the necessary steps for mitigation is crucial.

The Gravity of the Situation

Two major vulnerabilities—CVE-2024-28986 and CVE-2024-28987—were discovered in SolarWinds’ Web Help Desk (WHD). These issues were severe enough to warrant critical CVSS scores of 9.8 and 9.1, respectively.

The first, CVE-2024-28986, is a remote code execution (RCE) vulnerability caused by a Java deserialization flaw. If exploited, it allows an attacker to execute arbitrary commands on the affected host. Despite initial reports suggesting the vulnerability could be exploited without authentication, SolarWinds could only reproduce it after authentication. Nonetheless, due to the severity, SolarWinds issued a hotfix and strongly urged all users to apply it immediately.

The second vulnerability, CVE-2024-28987, is particularly concerning. It involves hardcoded credentials within the Web Help Desk software. This flaw enables unauthenticated attackers to log into vulnerable systems, access internal functionalities, and potentially modify sensitive data. Given the widespread use of Web Help Desk across various sectors, including government, healthcare, and education, the implications of such a flaw are far-reaching.

SolarWinds’ Response and Hotfixes

SolarWinds responded quickly to these vulnerabilities by releasing Web Help Desk 12.8.3 Hotfix 2. This hotfix addresses both the RCE vulnerability and the hardcoded credential issue. It also restores functionality compromised in earlier patches, ensuring the software operates securely and efficiently.

For those managing the Web Help Desk, applying this hotfix is not just recommended but essential. The installation process, though manual, is straightforward, involving the replacement of specific files within the Web Help Desk directory. SolarWinds provides detailed instructions to ensure administrators can apply the fix without disrupting their systems. Creating backups before modifying files is crucial, allowing for a quick rollback.

The Importance of Immediate Action

The recent history of SolarWinds, particularly the infamous breach involving its Orion software, underscores the need for prompt and decisive action in the face of security vulnerabilities. The company’s IT products are critical infrastructure components for many organizations. Leaving these vulnerabilities unpatched could lead to severe consequences, including unauthorized access, data breaches, and potentially devastating operational disruptions.

Given that these vulnerabilities are now known and patches are available, malicious actors are likely scanning for unpatched systems. Organisations must prioritise the application of these hotfixes to protect their IT environments and data.

The Need for Enhanced Security Measures

The recurring vulnerabilities in SolarWinds products serve as a stark reminder of the importance of proactive security measures. One crucial step is the adoption of passwordless authentication systems. Hardcoded credentials, as seen in CVE-2024-28987, pose a significant security risk. Credentials, in general, are a weak point in many systems, often becoming targets for exploitation.

By implementing passwordless solutions like PureAuth, organizations can significantly reduce the attack surface. Passwordless systems eliminate the need for traditional credentials, replacing them with more secure authentication methods such as biometrics or hardware tokens. This not only enhances security but also improves the user experience by streamlining the login process.

Conclusion

SolarWinds Web Help Desk has been a reliable tool for many organizations, but these recent vulnerabilities highlight the ongoing security challenges in software development. By staying vigilant and promptly applying security patches, organizations can mitigate risks and continue to benefit from the functionality provided by the Web Help Desk. The critical nature of the CVEs discussed cannot be overstated, and the onus is on system administrators to act swiftly and decisively.

For more detailed coverage of SolarWinds’ security challenges, visit BleepingComputer and PureID’s analysis. The journey to a more secure environment begins with proactive steps, and passwordless authentication is a crucial part of that journey.

SolarWinds New 0-Day: Serv-U Update

SolarWinds Serv-U, one of the leading multi-protocol file servers, reported a critical exploit marked as CVE-2024-28995. It allows unauthorised access to sensitive files. This path traversal flaw poses a significant security risk.

Credit: CyberInsider

What is CVE-2024-28995?

CVE-2024-28995 is a path traversal vulnerability in SolarWinds Serv-U. Attackers can exploit it remotely and without authentication. It allows an attacker to send specially crafted requests to the server, potentially accessing sensitive files and data from the underlying operating system. This could include user data, server logs, and other critical files​

Historical Context

SolarWinds Serv-U has been targeted before. In 2021, a zero-day vulnerability (CVE-2021-35211) was exploited by a group called Circle Typhoon. This historical precedent underscores the importance of patching vulnerabilities in managed file transfer solutions, which are prime targets for cyber criminals​.

Exploitation Details

Researchers have observed both automated and manual exploitation attempts. These began after the release of proof-of-concept (PoC) exploit details on June 18, 2024. GreyNoise reported seeing active exploitation in the wild. The PoC scripts made it relatively straightforward for attackers to leverage this vulnerability, prompting urgent calls for patching​

Implications for Organisations

Managed file transfer solutions are prime targets for ransomware groups. Examples include attacks on Accellion’s FTA, Fortra’s GoAnywhere MFT, and Progress Software’s MOVEit Transfer. These attacks often result in data breaches and extortion attempt.

Mitigation and Recommendations

SolarWinds released a patch to address CVE-2024-28995. Users of Serv-U FTP and MFT solutions should upgrade to version 15.4.2 HF 2 or later. Immediate patching is crucial due to the active exploitation and sensitivity of the data at risk.

Identifying Affected Systems

Tenable has developed plugins to identify vulnerable systems. These plugins are available on the CVE page for CVE-2024-28995. Organisations should use these tools to detect and remediate this vulnerability.

Enhancing Security with Passwordless Systems

To bolster security and protect against vulnerabilities like CVE-2024-28995, consider implementing passwordless authentication systems. Traditional passwords are often a weak link in cybersecurity, prone to phishing, brute force attacks, and credential stuffing. By moving to a passwordless system, you can significantly enhance the security posture of your SolarWinds Serv-U environment.

Benefits of Passwordless Authentication:

  1. Reduced Attack Surface
  2. Improved User Experience
  3. Enhanced Security
  4. Compliance and Standards

Implementing Passwordless Systems with PureAuth:

PureAuth offers a robust passwordless authentication solution that can be integrated into your existing infrastructure. By using PureAuth, you can secure your SolarWinds Serv-U environment against unauthorised access and potential vulnerabilities.

Conclusion:

CVE-2024-28995 is a serious vulnerability actively exploited in the wild. Organisations using SolarWinds Serv-U must prioritise patching to protect their systems. Enhancing security with passwordless systems is a proactive step in safeguarding your SolarWinds Serv-U environment. By implementing solutions like PureAuth, you can reduce the risk of exploitation from vulnerabilities like CVE-2024-28995 and ensure a more secure and user-friendly authentication process.