CVE CyberSecurity Database News

CVE-2024-28986 - Remote Code Execution in SolarWinds Web Help Desk – What You Need to Know and How to Stay Safe

Poster -

Summary:
In early 2024, security researchers discovered a serious vulnerability in SolarWinds Web Help Desk software—CVE-2024-28986. This flaw allows attackers to remotely execute code using a Java Deserialization vulnerability. Exploiting this means a hacker can potentially run any command on the server where Web Help Desk is installed.

In this post, we’ll break down what CVE-2024-28986 is, how it works, share relevant code snippets, offer steps for remediation, and link you to the most important references.

What is CVE-2024-28986?

CVE-2024-28986 is a Java Deserialization Remote Code Execution (RCE) vulnerability in SolarWinds Web Help Desk (WHD). In simple terms, it lets an attacker send specially crafted data (called a “serialized object”) to the web application. If the application does not properly check or filter this data, the attacker can trick the software into running malicious commands.

Initial reports suggested this flaw was “unauthenticated,” meaning anyone (no login needed) could exploit it. However, thorough tests by SolarWinds were only able to reproduce the vulnerability after authentication—so you’ll need a valid Web Help Desk login to pull off this attack in the real world, according to SolarWinds.

How Does This Work? (Exploitation Details)

The core of this weakness lies in how Java applications process serialized objects. Certain Java libraries are known to be risky if they deserialize objects from untrusted sources, because malicious Java code can get executed during deserialization.

The attack flow goes like this

1. An attacker prepares a specially crafted Java object that, once deserialized, triggers execution of a system command.

The attacker sends this object to a vulnerable endpoint in the Web Help Desk app.

3. If not authenticated, the endpoint should block the payload. But if authenticated (per SolarWinds testing), the payload is deserialized.

Malicious code is executed on the WHD server with whatever privileges the application has.

A note: For obvious reasons, we won’t publish weaponized payloads. The following is a generic example, for educational purposes only, showing the dangerous part—a deserialization chain using the CommonsCollections gadget:

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.TransformedMap;

import java.util.HashMap;
import java.util.Map;
import java.io.ObjectOutputStream;
import java.io.FileOutputStream;

public class PayloadDemo {
    public static void main(String[] args) throws Exception {
        Transformer transformer = new InvokerTransformer(
            "exec",
            new Class[] { String.class },
            new Object[] { "calc.exe" } // For demo: open calculator on Windows
        );
        Map normalMap = new HashMap();
        normalMap.put("key", "value");

        Map transformedMap = TransformedMap.decorate(normalMap, null, transformer);

        // Serialize the malicious map
        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("exploit.bin"));
        oos.writeObject(transformedMap);
        oos.close();
    }
}

This snippet shows how an attacker might generate a serialized object that, when deserialized by a vulnerable app, can launch a command (like opening Calculator).

Important: This example does NOT exploit SolarWinds, and is just to illustrate a risky pattern.

Why Should You Care?

- If you run SolarWinds Web Help Desk on exposed servers, attackers—if they gain valid credentials—can achieve full remote code execution (RCE).
- Unauthenticated exploitation claims haven’t been confirmed by SolarWinds. But that could change as new paths or endpoints are discovered.

SolarWinds’ Response & Patch

SolarWinds confirms the bug and recommends all Web Help Desk customers apply the patch immediately, even if only authenticated users can exploit it in their tests. Keeping critical service desk systems safe should be a top priority.

SolarWinds Security Advisory:

Web Help Desk Java Deserialization RCE Advisory

References & Further Reading

- CVE-2024-28986 at NIST NVD
- SolarWinds Patch Download/Release Notes
- Rapid7 Analysis and Disclosure Timeline
- Java Deserialization Vulnerabilities Explained (OWASP)

Protecting Your Organization

1. Apply the Patch:
Update to the latest version of SolarWinds Web Help Desk, regardless of your authentication settings.

2. Restrict Access:
Limit access to WHD to only trusted users and internal network segments.

3. Review User Permissions:
Regularly audit user accounts and remove unnecessary privileges.

4. Monitor Logs for Unusual Activity:
Enable and review detailed logging for signs of strange or unauthorized commands.

5. Stay Informed:
Sign up for security alerts and keep up with advisories from both SolarWinds and credible security feeds.

Final Thoughts

While there’s some uncertainty about whether this bug can be hit without logging in, it’s still dangerous. Java deserialization flaws have a bad history—they often let attackers take over entire servers if left unpatched. Don’t delay: Patch your SolarWinds Web Help Desk as soon as possible, and follow best practices for securing your help desk systems.

If you have questions or need direct help, reach out to SolarWinds support or your company’s security team immediately.

*Stay safe out there!*

Author’s Note:
This article is exclusive, based on public advisories, responsible security research, and best practices. Weaponized exploit code is intentionally omitted. If you believe you have found a new exploitation path, report it responsibly.


Did this help you? Let us know or share with your IT colleagues. For more exclusive deep-dives into security threats, subscribe to our updates!

Timeline

Published on: 08/13/2024 23:15:16 UTC
Last modified on: 08/16/2024 15:04:28 UTC