back to article SolarWinds left critical hardcoded credentials in its Web Help Desk product

SolarWinds left hardcoded credentials in its Web Help Desk product that can be used by remote, unauthenticated attackers to log into vulnerable instances, access internal functionality, and modify sensitive data The software maker has now issued an update to address that critical oversight; its users are encouraged to install …

  1. that one in the corner Silver badge

    Hot fix has to be manually installed

    > users are encouraged to install the fix, which presumably removes the baked-in creds.

    Guessing the start of these special manual hot fix instructions begins with "Step 1: do *not" take a backup copy".

    > It affects Web Help Desk 12.8.3 HF1 and all previous versions

    And the final step is "Now delete all your previous backups".

    1. elDog

      And how many organizations are going to pull their off-line backups to fix this?

      I'll take any wagers over 0.

      Anyone know how hard it is to process many daily/weekly/monthly/yearly backups and selectively update one or more files on these?

      I'm guessing everybody is going to say "Well they are in a vault and encrypted. And we'll probably never have to do a real disaster recovery."

      (Says those who have never really had to roll-back full systems.)

      1. John Robson Silver badge

        Re: And how many organizations are going to pull their off-line backups to fix this?

        So the answer is to add a "citical updates" calender to your DR plan...

    2. An_Old_Dog Silver badge

      Re: Hot fix has to be manually installed

      I worked at a place where the PCs' OS and local data are not backed up - you're supposed to keep your [the company's] data on network shares, which are backed up. A sufficiently-bjorked PC is re-imaged.

      That means this fix would probably be implemented in a post-image fixup script, and incorporated into the next-generarion Windows inage.

      Something (I don't recall what) happened, and we had to do a full restore of the all-departments shared-data share. Despite having a software-controlled, robotic-arm, multi-drive tape cartridge box with multiple, high-end SCSI interfaces, rhe restore took more than three days.

  2. sanmigueelbeer
    Coat

    which presumably removes the baked-in creds.

    Emphasis on the word "presumably".

    It ain't over `til the fat lady sings.

  3. Anonymous Coward
    Big Brother

    Security software blunders and the State Security Apparatus

    Why go to the effort of backdooring code when devs will basically do it for you accidentally anyway

    Given the ubiquity of such security software blunders, I suspect these are the backdoors. The clue is in the following quote:

    the customer base that SolarWinds has across government and enterprise clients

    With all your stuff now in “The Cloud”, they now have Total Information Awareness.

    1. John_Ericsson

      Re: Security software blunders and the State Security Apparatus

      "Never attribute to malice that which is adequately explained by stupidity."

  4. Pascal Monett Silver badge

    SolarWinds ? Again ?

    They just can't stay out of the limelight, now can they ?

    1. Michael Wojcik Silver badge

      Re: SolarWinds ? Again ?

      Well, have one major security issue, and you invite more scrutiny, which often leads to more public security issues, because you get found out. And you're more newsworthy when you are.

      I'm sure there are plenty of other commercial software packages out there with hard-coded credentials that simply haven't had a close look by the sorts of researchers who publish their findings or notify the vendor, rather than adding them to a secret (government, industry, or personal) collection.

      If you follow, say, Full Disclosure, you know that this sort of thing is quite common.

    2. sanmigueelbeer
      Pint

      Re: SolarWinds ? Again ?

      CrowdStrike: We DDoSed the whole world!

      SolarWinds: Here, hold my beer ...

  5. Sceptic Tank Silver badge
    Headmaster

    MZ Back when Hungarian Ruled

    Well yeah. If in 2024 you still use Hungarian Notation your security standards are likely to be ca. 1992 as well. In fact, I can't figure out what style they are using; looks to me like Abbreviated Pascal the Hungarian Camel. At least I can't fault them on the placement of their curly braces – well done there!

    1. Yorick Hunt Silver badge
      Holmes

      Re: MZ Back when Hungarian Ruled

      Yeah, I don't think the photographer trying to earn a living by licencing stock photos would've had any input into - or access to - SolarWinds source code.

      More likely nobody bothered to review the code after that fateful week years ago, when they had a work experience kid in at the office to write the product for them.

      1. Michael Wojcik Silver badge

        Re: MZ Back when Hungarian Ruled

        when they had a work experience kid in at the office to write the product for them

        I've seen plenty of stupid vulnerabilities introduced by experienced developers, and interns with better-than-average secure-development practices.

        1. Richard 12 Silver badge

          Re: MZ Back when Hungarian Ruled

          The usual reason is "I'll just put this in for now and do it properly later".

          Morgan Freeman voiceover

          And to this day, they never did.

  6. pc-fluesterer.info
    FAIL

    SolarWinds - I heard that name before

    If only I could recall where ... <eg>

  7. sitta_europea Silver badge

    Does anybody else think it's starting to look like SolarWinds is utterly clueless?

  8. Anonymous Coward
    Anonymous Coward

    Removed......But Actually Changed????

    Quote: "...SolarWinds left hardcoded credentials ..."

    First four words in the article.........

    .......so they have removed the "hardcoded credentials" from their product................

    .......but HAVE THEY CHANGED THEM?

    I think we should be told!!

    1. Anonymous Coward
      Anonymous Coward

      Re: Removed......But Actually Changed????

      They can't change it yet, or else the Help Desk client software will stop working due to authentication failure.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like