www.belgium.be Logo of the federal government

Warning: SolarWinds Web Help Desk Java Deserialization Remote Code Execution Vulnerability, Patch Immediately!

Reference: 
Advisory #2024-246
Version: 
1.0
Affected software: 
SolarWinds Web Help Desk 12.8.3 HF2 and all previous versions
Type: 
Remote Code Execution (RCE)
CVE/CVSS: 

CVE-2024-28988: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

SolarWinds: https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28988

Risks

An unauthenticated attacker can exploit this vulnerability by sending malicious inputs to execute arbitrary code on the server, allowing them to control the host machine. A successful attack can lead to a full takeover of the SolarWinds Web Help Desk server, affecting confidentiality, integrity, and availability.

A similar vulnerability in SolarWinds Web Help Desk is known to be actively exploited in the wild in less than 2 months. CVE-2024-28987, released on 21 August 2024, was added on the Known Exploited Vulnerabilities list of CISA on 15 October 2024.

 

Description

The vulnerability CVE-2024-28988 is a critical flaw affecting SolarWinds' products, specifically in the Web Help Desk platform. This vulnerability is associated with remote code execution (RCE) due to Java deserialization of untrusted data.

Exploitation of this vulnerability requires network access but does not require authentication, making it relatively easy for attackers to leverage, meaning that it requires no special privileges or user interaction, and has a low attack complexity.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

CISA: https://www.cisa.gov/news-events/alerts/2024/10/15/cisa-adds-three-known-exploited-vulnerabilities-catalog