Security researchers have discovered a critical vulnerability in one of SolarWinds’ most popular software products.
SolarWinds Web Help Desk is a web-based IT service management software that streamlines and automates help desk ticketing, asset management, and IT service management processes. It offers features such as ticketing, incident and problem management, and a self-service portal, designed to improve the efficiency and responsiveness of IT support teams.
The bug, discovered by cybersecurity researcher Zach Hanley of Horizon3.ai, is a simple (but too-common) oversight: hardcoded administrator credentials were left in the product. The vulnerability is tracked as CVE-2024-28987 and has a severity rating of 9.1/10. It affects Web Help Desk 12.8. 3 HF1 and all versions prior.
The first clean version is 12.8.3 HF2.
Hardcoded credentials everywhere
A patch is already available, but it must be installed manually. Because the flaw allows unauthenticated threat actors to log in to vulnerable endpoints and tamper with the data found there, users are urged to install the fix immediately.
You would think that for a product used by government, education, healthcare, and telecommunications (to name a few), such a simple mistake would not happen. However, hardcoded credentials are common.
In October 2023, Cisco Emergency Responder (CER), the company’s emergency communications system used to respond to crises in a timely manner, had hardcoded credentials. In March 2024, researchers discovered that millions of GitHub projects had the same issue.
During the development phase, many IT professionals would hardcode various authentication secrets to make their lives easier. However, they often forget to remove the secrets before publishing the code. Should malicious actors discover these secrets, they can easily gain access to private resources and services, which can lead to data breaches and similar incidents.
Via The register