Critical SimpleHelp vulnerabilities fixed, update your server instances!

If you’re an organization using SimpleHelp for your remote IT support/access needs, you should update or patch your server installation without delay, to fix security vulnerabilities that may be exploited by remote attackers to execute code on the underlying host.

About SimpleHelp and the vulnerabilities

SimpleHelp is relatively popular remote support/access software that has also occasionally been used by cyber attackers.

The solution is mostly used by technical services firms and organizations’ IT help desk and technical support teams. It uses the Java runtime environment to run its server and client components and, thus, can be run on Windows, macOS or Linux machines.

Horizon3.ai researchers have recently probed the software for security weaknesses, and have discovered three vulnerabilities:

• CVE-2024-57727, an unauthenticated path traversal vulnerability that could allow attackers to download arbitrary files from the SimpleHelp server, including logs and configuration secrets (encrypted with a hardcoded key)
• CVE-2024-57728, an arbitrary file upload flaw that could be exploited by authenticated attackers (e.g., leveraging admin credentials gleaned from downloading config files) to upload arbitrary files to the machine running the SimpleHelp server or even interact with/access remote machines if the “unattended access” option is switched on. “For Linux servers, an attacker could exploit this vulnerability to upload a crontab file to execute remote commands. For Windows servers, an attacker could overwrite executables or libraries used by SimpleHelp to get to remote code execution,” the researchers explained.
• CVE-2024-57726, a vulnerability stemming from missing authorization checks for certain admin function could be misused by attackers to elevate their priviledes to admin and, for example, exploit CVE-2024-57728 to take over the server.

A Shodan search has revealed nearly 3,500 internet-facing SimpleHelp servers, the researchers noted, but how many are still unpatched is unknown.

Internet-facing SimpleHelp servers (Source: Horizon3.ai)

Update or patch, and change passwords

The researchers refrained from publishing additional technical details for now, but they say that the flaws are trivial to reverse and exploit, and users should upgrade to a fixed version (5.5.8) or apply a patch to v5.4.10 or 5.3.9 as soon as possible.

“While we do not know of any exploits of this vulnerability, it is possible that the server’s configuration file could be exposed,” the company developing the software said.

With that in mind, they also advised organizations to:

• Change the Administrator password of the SimpleHelp server
• Change the passwords for Technician accounts (where possible), and
• Restrict the IP addresses that the SimpleHelp server can expect Technician and Administrator logins from (where possible).