Skip Navigation

August 22, 2024 |

SolarWinds patches actively exploited hardcoded credentials vulnerability

Loading table of contents...

SolarWinds has released a hotfix update to address a recently discovered critical vulnerability in its Web Help Desk (WHD) software, used by organizations to efficiently accept, track, and respond to support requests.

The flaw, designated CVE-2024-28987, is a hardcoded credential vulnerability that could be leveraged by unauthenticated threat actors to obtain remote access and modify data.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added CVE-2024-28978 to its list of Known Exploited Vulnerabilities (KEV), but the agency was tight-lipped on how exactly the vulnerability was being exploited.

Additional details regarding the vulnerability are expected to be released in September, giving users a grace period during which they should update their systems.

Source: The Hacker News

Analysis

Hardcoded credentials are essentially a default username and password that is hardcoded into a system or device. These are always the same for every device unless they are changed or disabled by end users, which generally doesn’t happen.

A good example of hardcoded credentials is residential internet routers, which were typically shipped with Admin/Admin as the default username and password. It is almost a certainty that today’s sophisticated threat actors will compromise devices that use hardcoded credentials.

As a result, many hardware manufacturers and software vendors have discontinued this practice and instead assign unique usernames and passwords for each device that is shipped. It’s unclear why SolarWinds WHD still used hardcoded credentials, as this practice is known for being highly exploitable.

Vulnerabilities in SolarWinds products have been a popular target for threat actors in 2024. On August 13, SolarWinds released an update for a different critical vulnerability in WHD, designated CVE-2024-28986, which, when exploited, could allow threat actors to execute arbitrary code.

In June 2024, a high-severity directory transversal vulnerability in SolarWinds’ Serv-U software was quickly exploited after proof-of-concept (PoC) code was publicly released by an overly eager cybersecurity company before admins had the chance to patch their systems.

While there’s no doubt that SolarWinds products have a history of being targeted by threat actors, it’s hard to say if this is due to perceived security lapses in coding or if SolarWinds users are just particularly interesting to threat actors.

For example, when Russia’s Foreign Intelligence Service (SVR) infiltrated SolarWinds' internal systems and injected malicious code into SolarWinds Orion builds, they were able to deploy the Sunburst backdoor on thousands of systems, impacting 96% of Fortune 500 companies, as well as many U.S. government departments.

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like SolarWinds WHD. Field Effect MDR users are automatically notified if vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect strongly recommends users of affected SolarWinds WHD versions update to the latest version as soon as possible, in accordance with the advisory.

Related Articles