Solarwinds, an enterprise software firm, has now fixed a crucial bug that was part of its Web Help Desk Software. The bug had made it easy for hackers to execute the HQL code.
Solarwinds is an Austin, Texas, headquartered firm that develops software for enterprises to help manage their systems, networks, and IT infrastructure.
Solarwinds Web Help Desk is a helpdesk ticketing and asset management solution that enables consumers to analyze and handle end-user trouble tickets. Also, using the Desk, it is possible to track service request lifecycle through a centralized web interface.
The security enterprise, Assetnote , noticed the bug. The firm found that the hardcoded credentials contained within it were automatically accepted at various locations within the source code and further enabled access to the sensitive controllers.
Attackers could execute HQL queries versus the database models that are defined within the source code to read password hashes of registered users. This could include administrator password hashes.
It is also probable for hackers to read sensitive information from the database. In turn, hackers could conduct many other SQL operations using this information.
“Through hardcoded credentials, it is possible to access an endpoint which lets you evaluate arbitrary HQL. This ultimately allows you to perform read and write operations on the database. For example, through this HQL evaluation, we were able to extract the administrator password hashes.” Informs Assetnote.
Assetnote reported the issue to Solarwinds on October 31 last year, with the release of Web Help Desk 12.7.7 Hotfix 1 on December 23.
Although there is no significant evidence to say that the software vulnerability impacted consumers, the bug could have led to more disasters.