Critical SolarWinds CVE-2024-28986 Vulnerability Added to CISA’s Known Exploited Vulnerabilities Catalog
On August 13, 2024, SolarWinds released a security advisory regarding a critical vulnerability in their Web Help Desk (WHD) software. The vulnerability, CVE-2024-28986, poses a significant risk of remote code execution via Java deserialization.
Introduction
On August 13, 2024, SolarWinds released a security advisory regarding a critical vulnerability in their Web Help Desk (WHD) software. The vulnerability, CVE-2024-28986, poses a significant risk of remote code execution via Java deserialization. Due to its severity, the Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities Catalog on August 15, 2024. The addition highlights the urgency for organizations to address this issue promptly to mitigate the risk of exploitation.
Report Overview
The CVE-2024-28986 vulnerability was reported by security researchers who responsibly disclosed the issue to SolarWinds. This vulnerability allows an attacker to execute commands on the host machine via Java deserialization. Although SolarWinds initially could not reproduce the exploit without authentication, the company has advised all WHD customers to apply the patch immediately due to the critical nature of the vulnerability.
The vulnerability exists in multiple SolarWinds Web Help Desk versions, explicitly affecting the software's handling of serialized Java objects. An attacker can exploit this weakness by sending a specially crafted request to the server, resulting in remote code execution on the target system. The vulnerability is classified as unauthenticated, meaning an attacker does not need valid credentials to exploit it, significantly increasing the risk level. However, SolarWinds' internal testing indicated that the exploit might require some level of authentication, though they recommend applying the patch as a precautionary measure.
SolarWinds released the WHD 12.8.3 Hotfix 1 to address the vulnerability, which includes the necessary updates to mitigate the risk. The hotfix modifies several core components of the Web Help Desk application, including whd-core.jar and whd-web.jar files. It introduces a new whd-security.jar file to bolster security.
The CVE-2024-28986 vulnerability is rated as critical, with a severity score of 9.8 out of 10, reflecting its high potential for damage. If successfully exploited, it could allow attackers to control the affected system completely, leading to data breaches, unauthorized access, and potential system compromise. The vulnerability's inclusion in CISA's Known Exploited Vulnerabilities Catalog indicates that malicious actors have actively targeted it, making immediate remediation essential for all organizations using SolarWinds Web Help Desk.
SolarWinds acknowledged the severity of the issue and expressed gratitude towards the security researchers and Inmarsat Government / Viasat for their assistance in identifying and resolving the vulnerability.
"While we could not reproduce the unauthenticated exploit scenario in our internal tests, we urge all customers to apply the hotfix as a precautionary measure to protect against potential threats,"
SolarWinds stated in their advisory.
CISA also emphasized the importance of addressing this vulnerability, urging all organizations, not just Federal Civilian Executive Branch agencies, to prioritize its remediation.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,"
CISA noted in their alert.
Insights and Analysis
To protect against the potential exploitation of CVE-2024-28986, SolarWinds customers are strongly advised to apply the WHD 12.8.3 Hotfix 1 immediately, especially if their Web Help Desk deployment is on a public-facing server. Those using SAML Single Sign-On (SSO) should await further updates as the hotfix impacts this functionality.
The CVE-2024-28986 vulnerability in SolarWinds Web Help Desk is a critical threat that requires immediate attention. Its inclusion in CISA's Known Exploited Vulnerabilities Catalog underscores the active risk it poses to organizations. Applying the provided hotfix is essential to mitigate the risk and protect against potential cyberattacks.
Indicators of Compromise (IoCs)
| Indicator | Type | Description |
|---|---|---|
Unusual requests to /api/extraGetPattern or /api/anotherGetPattern/.* | Network Indicator | Potential attempts to exploit the vulnerability through crafted GET requests. |
Unusual requests to /api/extraPostPattern or /api/anotherPostPattern | Network Indicator | Potential attempts to exploit the vulnerability through crafted POST requests. |
| Execution of unauthorized commands on the server | Host Indicator | Signs of remote code execution following exploitation. |
Presence of whd-security.jar with unexpected modifications | File Indicator | Indicates tampering with the security configuration of Web Help Desk. |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Exploit Public-Facing Application | T1190 | Attackers exploit vulnerabilities in internet-facing web applications to gain access. |
| Execution | Command and Scripting Interpreter: Java | T1059.006 | Exploitation of Java deserialization to execute arbitrary code on the host system. |
| Persistence | Valid Accounts | T1078 | Use of valid credentials to maintain persistent access, possibly required for exploitation. |
| Impact | Data Destruction | T1485 | Potential for attackers to destroy or manipulate data following a successful exploit. |
References
Comments ()