SolarWinds left some serious security flaws in its Web Desk Help platform, and now it's under attack

News
By
published

Hardcoded credentials grant crooks easy access to SolarWinds platform

Shadowed hands on a digital background reaching for a login prompt.
Image Credit: Shutterstock (Image credit: Shutterstock)

Security researchers have uncovered a critical-severity vulnerability in one of SolarWinds' most popular software products.

SolarWinds' Web Help Desk is a web-based IT service management software that streamlines and automates help desk ticketing, asset management, and IT service management processes. It offers features like ticketing, incident and problem management, and a self-service portal, designed to improve the efficiency and responsiveness of IT support teams.

The bug, discovered by cybersecurity researcher Zach Hanley, from Horizon3.ai, is a simple (but too-often-seen) oversight - hardcoded admin credentials were left in the product. The vulnerability is tracked as CVE-2024-28987, and carries a severity score of 9.1/10. It affects Web Help Desk 12.8.3 HF1 and all previous versions.

The earliest clean version is 12.8.3 HF2.

Hardcoded credentials everywhere

A patch is already available, but it needs to be manually installed. Since the flaw allows unauthenticated threat actors to log into vulnerable endpoints, and fiddle with the data found there, users are urged to install the fix immediately.

One would think that for a product used by government, education, healthcare, and telecommunications companies (to name a few), such a simple error would not happen. However, hardcoded credentials are a frequent occurrence.

In October 2023, Cisco Emergency Responder (CER), the company’s emergency communication system used to respond to crises in a timely manner, had hardcoded credentials. In March 2024, researchers found that millions of GitHub projects had the same problem.

During the development stage, many IT pros would hardcode different authentication secrets in order to make their lives easier. However, they often forget to remove the secrets before publishing the code. Thus, should any malicious actors discover these secrets, they would get easy access to private resources and services, which can result in data breaches and similar incidents.

Via The Register

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.