SolarWinds Web Help Desk CVE-2024-28986 (rated 9.8 our of 10) is now included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog, indicating its active use in cyber attacks, giving affected agencies until September 5, 2024 to fix the flaw under Binding Operational Directive 22-01. How fun.
This is a different type of issue than the December 2020 Christmas present of a breached supply chain, allowing all sorts of software update shenanigans. CVE-2024-28986 instead is a more run-of-the-mill deserialisation issue, where system A trusts what system B gave it.
The ‘Known Exploited Vulnerabilities’ catalog means:
- its bad
- you know its bad
- bad actors know its bad
- bad actors are using it right now
In this case, the Web Help Desk product is at risk. In addition to the specific mediation (patch), I recommend working on a Defence In Depth strategy. In particular, earlier I gave three enduring strategies that give you more time to respond, while lowering the blast radius of what does go bad, giving you time to react, information to react on, and, methods to slow down the attacker while you do react.
This isn’t going to get easier anytime soon. In this case, its not a buffer-overflow type issue, so one cannot simply say “switch to pointerless languages”. Its not a supply-chain issue, solved with better SBOM’s etc. Its Java code, reading information from elsewhere, and, making a mistake in interpreting it. This is going to continue to happen, and, attackers are going to continue to be motivated to do so by various economical and socio-political motives.
Enjoy that long weekend of patch and deploy.