SolarWinds fixes critical developer oversight

SolarWinds has issued a hotfix to patch up a security oversight that could allow remote access to sensitive credentials hardcoded in its Web Help Desk (WHD) product.

The vulnerability, tracked as CVE-2024-28987, has been rated “critical” with a CVSS score of 9.1 out of 10.

“The SolarWinds Web Help Desk software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data,” said the software maker in the hotfix release notes.

Sensitive credentials exposed

Due to a critical oversight on the developers’ part, some hardcoded credentials were left within WHD that can allow malicious actors easy access into vulnerable instances without any backdoor.

SolarWinds’ WHD is a web-based IT service management (ITSM) software solution designed to help organizations manage their help desk and IT support operations with a centralized platform for tracking, managing, and resolving service requests and incidents.

WHD customers include those from critical business sectors including healthcare, government, and financial services, and a vulnerability that can allow remote access into their systems can potentially put sensitive data in danger.

While no active exploitation has been reported yet, SolarWinds is recommending swift patching to stay ahead of the adversaries. Zach Hanley, the vulnerability researcher credited for the discovery of the vulnerability has promised further details.

“Reported a critical vulnerability to SolarWinds on Friday after digging into the recent CISA KEV CVE-2024-28986 for WebHelpDesk, amazed they’ve already shipped a patch 4 days later!” Hanley wrote on X. “Will release some details next month.”

Additional Fixes

Along with the fix for the WHD hardcoded credential vulnerability, the hotfix, which refers to a small, targeted software update designed to address specific vulnerabilities, also included an upgraded version of a recent hotfix addressing CVE-2024-28986, a 9.8 CVSS, remote code execution vulnerability affecting the same product.

“For your protection and to quickly deliver SolarWinds customers a secure version of WHD, we applied an aggressive security patch in WHD 12.8.3 Hotfix 1 on August 13, 2024,” SolarWinds said in an earlier update. “In a few cases, this approach impacted product functionality such as SSO.”

The hotfix targeted for the hardcoded credentials vulnerability, dubbed WHD 12.8.3 Hotfix 2, resolves the problem as it “adds more patterns to fix (the) SSO issue.” The 9.8 CVSS scorer was recently added by CISA to its known exploited vulnerabilities catalog (KEV) based on evidence of active exploitation.