Security researchers have uncovered a critical-severity vulnerability in one of SolarWinds’ most popular software products.
SolarWinds’ Web Help Desk is a web-based IT service management software that streamlines and automates help desk ticketing, asset management, and IT service management processes. It offers features like ticketing, incident and problem management, and a self-service portal, designed to improve the efficiency and responsiveness of IT support teams.
The bug, discovered by cybersecurity researcher Zach Hanley, from Horizon3.ai, is a simple (but too-often-seen) oversight – hardcoded admin credentials were left in the product. The vulnerability is tracked as CVE-2024-28987, and carries a severity score of 9.1/10. It affects Web Help Desk 12.8.3 HF1 and all previous versions.
The earliest clean version is 12.8.3 HF2.
Hardcoded credentials everywhere
A patch is already available, but it needs to be manually installed. Since the flaw allows unauthenticated threat actors to log into vulnerable endpoints, and fiddle with the data found there, users are urged to install the fix immediately.
One would think that for a product used by government, education, healthcare, and telecommunications companies (to name a few), such a simple error would not happen. However, hardcoded credentials are a frequent occurrence.
In October 2023, Cisco Emergency Responder (CER), the company’s emergency communication system used to respond to crises in a timely manner, had hardcoded credentials. In March 2024, researchers found that millions of GitHub projects had the same problem.
During the development stage, many IT pros would hardcode different authentication secrets in order to make their lives easier. However, they often forget to remove the secrets before publishing the code. Thus, should any malicious actors discover these secrets, they would get easy access to private resources and services, which can result in data breaches and similar incidents.
Via The Register
