Enterprise software firm Solarwinds has fixed a critical bug in its Web Help Desk software that allowed attackers to execute arbitrary Hibernate Query Language (HQL) code.
Solarwinds Web Help Desk is a helpdesk ticketing and asset management solution that allows customers to manage end user trouble tickets and track the service request lifecycle via a centralized web interface.
However, security firm Assetnote discovered it contained hardcoded credentials, which were automatically accepted at several locations in the source code and which enabled access to sensitive controllers.
HQL injection
As explained in a technical blog post, an attacker could execute HQL queries against the database models defined in the source code and read the password hashes of the registered users, including administrator password hashes.
And as well as reading sensitive information from the database, attackers could carry out other SQL operations, such as INSERT/UPDATE/DELETE, as long as a Hibernate model existed for the database tables, in the codebase.
“Through hardcoded credentials, it is possible to access an endpoint which lets you evaluate arbitrary HQL,” Shubham Shah, co-founder and CTO of Assetnote, tells The Daily Swig.
“This ultimately allows you to perform read and write operations on the database. Through this HQL evaluation, we were able to extract the administrator password hashes.”
Vulnerable instances
Shah says the team found numerous instances that were vulnerable to the exploitation in the wild.
“We went through the active installations for Solarwinds Web Help Desk on the internet and found that our exploit was still valid even though there were some restrictions that needed to be passed before exploiting the issue,” he says.
Shah added: “The use of hardcoded credentials is a poor security design decision, as anyone can obtain these credentials through reverse engineering.”
“A number of authentication systems in the application rely on these hardcoded credentials, which are not to be considered secret.”
Patch timeline
Assetnote reported the issue to Solarwinds on October 31 last year, with the release of Web Help Desk 12.7.7 Hotfix 1 on December 23.
“We have no evidence that any customers were impacted by this software vulnerability, which would have required a threat actor to have local, on-premise and direct access to the WHD server,” a Solarwinds spokesperson tells The Daily Swig.
Assetnote warns that many organizations focus too much on in-house software and network issues, and fail to appreciate the risks of third-party enterprise software which, it says, often contains vulnerabilities.