Critical RCE bug in SolarWinds Web Help Desk fixed (CVE-2024-28986)
SolarWinds has fixed a critical vulnerability (CVE-2024-28986) in its Web Help Desk (WHD) solution that may allow attackers to run commands on the host machine.
“While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing. However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available,” the company advises.
About CVE-2024-28986
SolarWinds Web Help Desk is a web-based IT help desk solution popular with SMBs, enterprises and managed service providers.
It can be integrated with Active Directory and LDAP, it centralizes and automates ticketing management, provides a centralized knowledge base, allows tracking and managing of IT assets, and more.
CVE-2024-28986 is a Java deserialization vulnerability, a type of security weakness that is among the most common vulnerabilites in Java applications. It allows attackers to inject malicious code into an application’s memory.
CVE-2024-28986 has been privately disclosed by security researchers and fixed with their help. There is no mention of it being under active exploitation.
The vulnerability affects WHD versions 12.4 through 12.8.
What to do?
SolarWinds instructs customers to immediately upgrade their installations to version 12.8.3, apply the provided hotfix – Web Help Desk 12.8.3 Hotfix 1 – and install it.
The latter step is not the last, because they will also have to copy-paste some files and manually modify a file, but luckily SolarWinds explains the who procedure clearly in the security advisory, as well as offers instructions on how to uninstall the hotfix (if needed).
While SolarWinds strongly recommends that customers install Web Help Desk on a server that is protected from unauthorized access by the public and is not internet-facing, there are surely some (hopefully not many) customers who have ignored the advice.
Attackers may soon try to analyze the hotfix, devise an exploit, and probe vulnerable installations. If SolarWinds is correct about the authentication requirement – and there is no reason why they should not be – successful exploitation of the flaw will not be as easy as initially feared by the researchers.
UPDATE (August 16, 2024, 02:20 a.m. ET):
CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog.