In a recent security audit, significant vulnerabilities were uncovered in SimpleHelp, a remote support software that has been gaining popularity among users.
Conducted by Horizon3, the audit revealed three critical security flaws that could potentially compromise both SimpleHelp servers and the client machines being managed through the platform. Following the disclosure of these vulnerabilities to SimpleHelp’s support team, the company quickly released patches to address the issues.
Overview of SimpleHelp
SimpleHelp serves three main roles: administrators, technicians, and customers. Administrators are responsible for setting up and configuring the SimpleHelp server, while technicians use the software to connect with customers in need of remote support. Customers, in turn, are the individuals seeking assistance.
To receive support, customers must download an executable from the SimpleHelp server and run it on their machines. Technicians also download a console executable from the server to provide assistance. The SimpleHelp server acts as a proxy, facilitating communication between technicians and customers. Additionally, the software offers an “unattended remote access” mode, allowing technicians to access customer machines without direct interaction.
Identified Vulnerabilities
The first vulnerability, identified as CVE-2024-57727, is a critical unauthenticated path traversal issue. This flaw allows attackers who are not logged in to download arbitrary files from the SimpleHelp server. This is particularly concerning because it could expose sensitive information, such as hashed passwords and other important configuration secrets, putting users at serious risk of unauthorized access to their accounts and data.
Next, we have CVE-2024-57728, which involves arbitrary file uploads leading to remote code execution. If an attacker gains access as the SimpleHelpAdmin user or as a technician with admin privileges, they can exploit this vulnerability to upload any file to the server. This could allow them to execute commands remotely, potentially giving them full control over the server.
Lastly, there’s CVE-2024-57726, a privilege escalation vulnerability. This issue allows low-privilege technicians to elevate their access to that of an admin due to missing authorization checks in the backend. Once they achieve admin status, they can exploit the previous vulnerabilities to take over the SimpleHelp server entirely.
Recommendations for Users
To determine the version of a SimpleHelp server, users can access the /allversions endpoint or inspect the HTTP Server header. Any version prior to 5.5.8, 5.4.10, or 5.3.9 is likely to be vulnerable.
Users are strongly urged to upgrade to the latest patched versions (5.5.8, 5.4.10, or 5.3.9) as soon as possible. SimpleHelp has published a KnowledgeBase article detailing the vulnerabilities and the necessary steps for remediation.
