Vulnerability Management, Patch/Configuration Management, Threat Intelligence

SolarWinds patches critical RCE vulnerability in its Web Help Desk

Share
SolarWinds company logo icon on website, Illustrative Editorial

Administrators ready to take an early weekend have been served with what might be the scariest three words in IT: Critical SolarWinds Vulnerability.

The IT services provider said that a vulnerability in its Web Help Desk (WHD) offering could potentially allow an attacker to achieve remote code execution and take over a vulnerable system without authentication.

Labeled CVE-2024-28986, the flaw is down to a Java deserialization vulnerability. An attacker with access to the WHD application can send malicious commands to the target system and achieve code execution.

The discovery of a remote takeover flaw in SolarWinds will not sit well with customers who will no doubt remember the 2020 SolarWinds Orion breach and the resulting string of supply chain breaches that came from the attack. The company was eventually taken to court in the matter.

The full extent of the flaw is unclear. While the researchers who discovered the flaw reported being able to achieve full execution without authentication, SolarWinds said its own team was unable to fully recreate the attack.

Still, there is enough evidence for the vulnerability to be rated a 9.8 on the CVSS scale as a remote code execution flaw, one of the highest scores possible on the vulnerability-rating scale.

“Out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available,” SolarWinds said.

Administrators in most cases are advised to update WHD to version WHD 12.8.3 Hotfix 1. There is, however, one serious caveat. SAML single sign-on is not compatible with the update and administrators running those configurations are being advised to wait for a compatible fix.

SolarWinds is not the only company to issue a security fix. Companies running Palo Alto Networks hardware will want to take a close look at the bulletin for CVE-2024-5914. That flaw, determined to be a "moderate" security risk by the vendor allows command injection attacks via the Cortex XSOAR Commonscripts pack.

Palo Alto noted that the attack is locally exploited, meaning a threat actor would have to already be signed into the network in order to target the flaw.

Administrators are advised to update to version 1.12.33 in order to obtain the patch.

The releases come on what has already been a busy week for patching enterprise platforms. Earlier this week Microsoft dropped a Patch Tuesday monthly update which included fixes for nine zero-day vulnerabilities already under attack in the wild.

For many admins, it is shaping up to be a busy few days ahead of testing and deploying critical updates.

Shaun Nichols

A career IT news journalist, Shaun has spent 17 years covering the industry with a specialty in the cybersecurity field.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.