Solarwinds has fixed a critical bug in its Web Help Desk software that allowed attackers to execute arbitrary Hibernate Query Language (HQL) code.
Solarwinds Web Help Desk is a helpdesk ticketing and asset management software that allows customers to manage end user support tickets and track the service request lifecycle via a centralized web interface. It has been discovered that it contained hardcoded credentials, which is automatically accepted at several locations in the source code, enabling access to sensitive controllers.
An attacker could execute HQL queries against the database models defined in the source code and read the password hashes of the registered users, including administrator password hashes and other sensitive information from the database, through which the attackers could carry out other SQL operations, such as INSERT/UPDATE/DELETE, if the Hibernate model existed for the database tables, in the codebase.Researchers Statement
Using these hardcoded credentials, it is possible to access an endpoint which lets you evaluate arbitrary HQL. This ultimately allows you to perform read and write operations on the database. Through this HQL evaluation, we were able to extract the administrator password hashes.
Researchers team found many instances were vulnerable and few of the restrictions must be passed to exploit this in the wild.
The issue was reported to Solarwinds on October 31 last year, with the release of Web Help Desk 12.7.7 Hotfix 1 on December 23.
Solarwinds in a statement said that it has not found any evidence with any customers were impacted by this software vulnerability, which would have required a threat actor to have local, on-premises and direct access to the WHD server