Alert essentials:
Critical vulnerabilities in SolarWinds Web Help Desk allow hackers access to unpatched systems and underlying functionality.
Apply hotfix 12.8.3 immediately.
Detailed threat description:
A java deserialization remote code execution was found in SolarWinds Help Desk software. The deserialization allows bad actors to run commands on the host machine.
Additionally, hard-coded credentials were discovered in the Web Help Desk.
Hackers can modify data and access internal functions using the provided credentials.
CVE-2024-28987 was seen in exploited attacks and added to the CISA Known Exploitable vulnerabilities list. Deploy 12.8.3 HF2 to vulnerable hosts immediately.
Update: Proof-of-concept exploitation code is available on GitHub.
Impacts on healthcare organizations:
These vulnerabilities are frequently used as entrance vectors to compromise systems further.
Apply this hotfix promptly to protect against potential exploits and system downtime.
Affected products / versions:
- SolarWinds Web Help Desk 12.8.3.1 and prior
CVEs
- CVE-2024-28986
- CVE-2024-28987
Update: Indicators of Compromise (IOCs)
Logs can be inspected to see if an unrecognized IP address is enumerating the OrionTicket endpoints.
[10.0.40.83 F05180106762DEB98119DE28EE8C0BC2] HTTP:/1.1 GET /helpdesk/WebObjects/Helapdeskoa/ra/OrionTickets/1 200
Recommendations
Engineering recommendations:
- Backup all original files before replacing them with hotfix versions
- Upgrade vulnerable servers to Web Help Desk 12.8.3.1813 or 12.8.3 HF1 before deploying 12.8.3 HF2
- Apply hotfix 12.8.3 to SolarWinds Help Desk (12.8.3 HF2)
Leadership/ Program recommendations:
CISA strongly recommends all stakeholders include a requirement to immediately address KEV catalog vulnerabilities as part of their vulnerability management plan.
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- CISA Known Exploitable Vulnerabilities (KEV): Known Exploited Vulnerabilities Catalog | CISA
- GitHub PoC: GitHub – horizon3ai/CVE-2024-28987: Proof of Concept Exploit for CVE-2024-28987: SolarWinds Web Help Desk Hardcoded Credential Vulnerability
- SolarWinds Alert: https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987
- SolarWinds Patches and Installation Assistance: https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2
