Cookie Settings
Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Other cookies are those that are being identified and have not been classified into any category as yet.

No cookies to display.

solar-flare

SolarWinds Gives Federal Agencies Labour Day Present


SolarWinds Web Help Desk CVE-2024-28986 (rated 9.8 our of 10) is now included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog, indicating its active use in cyber attacks, giving affected agencies until September 5, 2024 to fix the flaw under Binding Operational Directive 22-01. How fun.

This is a different type of issue than the December 2020 Christmas present of a breached supply chain, allowing all sorts of software update shenanigans. CVE-2024-28986 instead is a more run-of-the-mill deserialisation issue, where system A trusts what system B gave it.

The ‘Known Exploited Vulnerabilities’ catalog means:

  • its bad
  • you know its bad
  • bad actors know its bad
  • bad actors are using it right now

In this case, the Web Help Desk product is at risk. In addition to the specific mediation (patch), I recommend working on a Defence In Depth strategy. In particular, earlier I gave three enduring strategies that give you more time to respond, while lowering the blast radius of what does go bad, giving you time to react, information to react on, and, methods to slow down the attacker while you do react.

This isn’t going to get easier anytime soon. In this case, its not a buffer-overflow type issue, so one cannot simply say “switch to pointerless languages”. Its not a supply-chain issue, solved with better SBOM’s etc. Its Java code, reading information from elsewhere, and, making a mistake in interpreting it. This is going to continue to happen, and, attackers are going to continue to be motivated to do so by various economical and socio-political motives.

Enjoy that long weekend of patch and deploy.