Patch Now: Second SolarWinds Critical Bug in Web Help Desk

  /     /     /  
Publicated : 23/11/2024   Category : security


Patch Now: Second SolarWinds Critical Bug in Web Help Desk


The disclosure of CVE-2024-28987 means that, in two weeks, there have been two critical bugs and corresponding patches for SolarWinds less-often-discussed IT help desk software.



For the second week in a row, SolarWinds has released a patch for a critical vulnerability in its IT help and ticketing software, Web Help Desk (WHD).
According to its
latest hotfix notice
, the issue — tracked as CVE-2024-28987 — concerns hardcoded credentials that could allow a remote, unauthenticated attacker to break into WHD and modify data.
Security is hard and a continuous process, says Horizon3.ai vulnerability researcher Zach Hanley, who first discovered and reported the bug. This application had just received a security look from being exploited in the wild, and a few years [before] had a different hardcoded credential vulnerability. Regular security reviews on the same application can still be valuable for companies.
On Aug. 13, SolarWinds released a hotfix for
CVE-2024-28986
, a Java deserialization issue that could have allowed an attacker to run commands on a targeted machine. It was given a critical 9.8 out of 10 score on the CVSS scale.
Following what the company described as thorough testing, it was unable to prove that the issue could be exploited by an unauthenticated attacker. But just two days after news of it broke, CISA added CVE-2024-28986 to its catalog of known exploited vulnerabilities, indicating that active exploitation by threat actors was already underway.
This week, the company followed up this initial bad news with more of the same, this time concerning a second vulnerability in the same program. In this case, there was no ambiguity that an unauthenticated attacker could leverage hardcoded credentials in WHD to access internal functionalities and data, which goes some way to justifying its critical 9.1 CVSS score.
Contrary to other reporting, CVE-2024-28987 was not first introduced in the patch for CVE-2024-28986. This issue has existed for some time in the product, likely for several years, Hanley reports. SolarWinds declined to provide Dark Reading with further comment.
SolarWinds newest patch incorporates fixes for both issues. Customers are advised to update immediately.
To hammer the point home, Hanley says, Imagine if an attacker had access to all the
details in help desk tickets
— what sensitive information may they be able to extract? Credentials, business operations details, etc.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Patch Now: Second SolarWinds Critical Bug in Web Help Desk