UPDATE: PoC Code Released for SolarWinds Help Desk Remote Exploitation of Hardcoded Credential

Alert essentials:

Critical vulnerabilities in SolarWinds Web Help Desk allow hackers access to unpatched systems and underlying functionality.

Apply hotfix 12.8.3 immediately.

Email Team

Detailed threat description:

A java deserialization remote code execution was found in SolarWinds Help Desk software. The deserialization allows bad actors to run commands on the host machine.

Additionally, hard-coded credentials were discovered in the Web Help Desk.

Hackers can modify data and access internal functions using the provided credentials.

CVE-2024-28987 was seen in exploited attacks and added to the CISA Known Exploitable vulnerabilities list. Deploy 12.8.3 HF2 to vulnerable hosts immediately.

Update: Proof-of-concept exploitation code is available on GitHub.

Impacts on healthcare organizations:

These vulnerabilities are frequently used as entrance vectors to compromise systems further.

Apply this hotfix promptly to protect against potential exploits and system downtime.

Affected products / versions:

SolarWinds Web Help Desk 12.8.3.1 and prior

CVEs

CVE-2024-28986
CVE-2024-28987

Update: Indicators of Compromise (IOCs)

Logs can be inspected to see if an unrecognized IP address is enumerating the OrionTicket endpoints.

[10.0.40.83 F05180106762DEB98119DE28EE8C0BC2] HTTP:/1.1 GET /helpdesk/WebObjects/Helapdeskoa/ra/OrionTickets/1 200

Recommendations

Engineering recommendations:

Backup all original files before replacing them with hotfix versions
Upgrade vulnerable servers to Web Help Desk 12.8.3.1813 or 12.8.3 HF1 before deploying 12.8.3 HF2
Apply hotfix 12.8.3 to SolarWinds Help Desk (12.8.3 HF2)

Leadership/ Program recommendations:

CISA strongly recommends all stakeholders include a requirement to immediately address KEV catalog vulnerabilities as part of their vulnerability management plan.

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

References:

CISA Known Exploitable Vulnerabilities (KEV): Known Exploited Vulnerabilities Catalog | CISA
GitHub PoC: GitHub – horizon3ai/CVE-2024-28987: Proof of Concept Exploit for CVE-2024-28987: SolarWinds Web Help Desk Hardcoded Credential Vulnerability
SolarWinds Alert: https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987
SolarWinds Patches and Installation Assistance: https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2

Threat Bulletin