Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: CRITICAL VULNERABILITIES IN SIMPLEHELP REMOTE ACCESS SOFTWARE CAN LEAD TO INFO DISCLOSURE, PRIVILEGE ESCALATION, AND REMOTE CODE EXECUTION, PATCH IMMEDIATELY!
Image
Published : 17/01/2025
Reference:
Advisory #2025-014
Version:
1.0
Affected software:
SimpleHelp = 5.5.7
Type:
Path traversal, arbitrary file inclusion, privilege escalation
CVE/CVSS:
CVE-2024-57727: CVSS 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE-2024-57728: CVSS 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-57726: CVSS 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Sources
Risks
Update (2025-01-29) According to various sources, the vulnerabilities are actively exploited by threat actors.
- CVE-2024-57727 - This vulnerability allows unauthenticated attackers to download arbitrary files from the SimpleHelp server. Notably, sensitive files such as the serverconfig.xml file, which contains hashed passwords for administrative accounts, can be accessed, potentially exposing other secrets like LDAP credentials and API keys.
- CVE-2024-57728 - An attacker with admin privileges (either as SimpleHelpAdmin or a technician with admin rights) can exploit this vulnerability to upload arbitrary files to any location on the host. This can lead to remote code execution, such as uploading a malicious crontab on Linux servers or replacing executables on Windows servers to execute arbitrary code.
- CVE-2024-57726 - This vulnerability allows a low-privilege technician to escalate their privileges to admin due to missing authorization checks in SimpleHelp's backend. By crafting a specific sequence of network requests, an attacker can gain admin access and exploit other vulnerabilities, such as arbitrary file upload, to take control of the system.
Exploitation of these vulnerabilities can have a high impact on confidentiality, integrity and availability.
Description
A threat actor can easily chain these vulnerabilities to achieve full machine compromise by:
- Exploiting CVE-2024-57727 (Unauthenticated path traversal) to download sensitive files, such as the serverconfig.xml file, which contains hashed passwords for administrative accounts.
- Using the credentials obtained from the configuration file to log in as a technician or administrator.
- Exploiting CVE-2024-57728 (Arbitrary file upload) to upload malicious files, such as a reverse shell or a crontab file, to gain remote code execution on the server.
- If the attacker initially has low-level technician access, they can use CVE-2024-57726 (Privilege escalation) to elevate their privileges to admin.
- With admin access, the attacker can now fully control the SimpleHelp server, access connected customer machines, and maintain persistent access.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/nl/cert/een-incident-melden.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.