top of page
3 min read

Critical Vulnerability CVE-2024-28987 in SolarWinds Web Help Desk: Exploitation and Mitigation Strategies

Image for post about Detailed Analysis Report on CVE-2024-28987

Detailed Analysis Report on CVE-2024-28987

Date: October 20, 2024

Executive Summary

CVE-2024-28987 is a critical vulnerability identified in the SolarWinds Web Help Desk (WHD) software, affecting versions 12.8.3 HF1 and earlier. This vulnerability, with a CVSS score of 9.1, is due to the use of hardcoded credentials, which allows remote unauthenticated users to access internal functionalities and modify data. The vulnerability has been actively exploited in the wild, as confirmed by its listing in the CISA Known Exploited Vulnerabilities Catalog. Immediate application of the hotfix provided by SolarWinds is essential to mitigate the risk.

Technical Information

The vulnerability CVE-2024-28987 is categorized under CWE-798: Use of Hard-coded Credentials. This classification highlights the inherent risk posed by hardcoded credentials, which can be exploited by attackers to gain unauthorized access to systems. In the case of SolarWinds Web Help Desk, the exploitation of this vulnerability allows attackers to bypass security policies, leading to unauthorized access to sensitive data and potential modification of system configurations. The vulnerability is particularly concerning given the widespread use of Web Help Desk in critical environments, including businesses and government administrations.

The technical mechanism of the vulnerability involves the exploitation of hardcoded credentials embedded within the software. These credentials can be used by attackers to authenticate themselves as legitimate users, thereby gaining access to the system's internal functionalities. Once inside, attackers can manipulate data, alter configurations, and potentially disrupt operations. The risk is exacerbated by the fact that the vulnerability affects all versions of SolarWinds Web Help Desk up to 12.8.3 HF1, making a large number of systems potentially vulnerable.

The vulnerability's critical nature is underscored by its CVSS score of 9.1, which reflects the potential impact on confidentiality, integrity, and availability of affected systems. The exploitation of this vulnerability could lead to significant data breaches, financial losses, and reputational damage for affected organizations. The urgency of addressing this vulnerability is further emphasized by its inclusion in the CISA Known Exploited Vulnerabilities Catalog, indicating that it has been actively targeted by malicious actors.

Exploitation in the Wild

CVE-2024-28987 has been actively exploited in the wild, as evidenced by its listing in the CISA Known Exploited Vulnerabilities Catalog. While there are no specific reports of nation-state actors or APT groups exploiting this vulnerability, the availability of proof of concept (POC) exploits on platforms like GitHub suggests that it is being targeted by cybercriminals. Notable POCs include those by HazeLook (https://github.com/HazeLook/CVE-2024-28987), PlayerFridei (https://github.com/PlayerFridei/CVE-2024-28987), and fa-rrel (https://github.com/fa-rrel/CVE-2024-28987-POC). These POCs demonstrate the potential for unauthorized access and data manipulation within the SolarWinds Web Help Desk system.

APT Groups using this vulnerability

As of the current information, there are no specific reports of Advanced Persistent Threat (APT) groups exploiting CVE-2024-28987. However, given the critical nature of the vulnerability and its potential impact, it remains a significant concern for organizations, particularly those in sectors that are frequent targets of APT activities.

Affected Product Versions

The vulnerability affects SolarWinds Web Help Desk versions 12.8.3 HF1 and all previous versions. The issue has been addressed in version 12.8.3 HF2. Organizations using affected versions are strongly advised to upgrade to the latest version to mitigate the risk of exploitation.

Workaround and Mitigation

SolarWinds has released a hotfix (version 12.8.3 HF2) to address CVE-2024-28987. It is imperative for users to apply this hotfix immediately to secure their systems. In cases where applying the hotfix is not feasible, organizations should consider discontinuing the use of the affected product to prevent potential exploitation. No effective workarounds have been documented for this vulnerability, making the application of the patch essential to ensure the security of the systems.

References

  1. NVD Entry for CVE-2024-28987: https://nvd.nist.gov/vuln/detail/CVE-2024-28987
  2. CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  3. SolarWinds Security Advisory: https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987
  4. Horizon3.ai Analysis: https://www.horizon3.ai/attack-research/disclosures/cve-2024-28987-solarwinds-web-help-desk-hardcoded-credential-vulnerability-deep-dive
  5. Arctic Wolf Blog: https://arcticwolf.com/resources/blog/cve-2024-28986-cve-2024-28987-follow-up-new-solarwinds-hotfix-addresses-critical-vulnerabilities-in-web-help-desk

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to provide comprehensive insights into vulnerabilities and potential threats, enabling organizations to proactively manage their security posture. We are here to assist you with any questions or concerns you may have regarding this report or any other cybersecurity issues. Please feel free to reach out to us at ops@rescana.com.

2 views0 comments

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page