Security researcher Naveen Sunkavally of Horizon3.ai has identified critical vulnerabilities in SimpleHelp, a popular remote support software tool. These flaws, if exploited, could allow attackers to compromise both SimpleHelp servers and client machines, posing significant risks to users.
SimpleHelp facilitates remote support through three primary roles:
- Administrators configure and manage the SimpleHelp server.
- Technicians provide remote support to customers.
- Customers receive assistance by running executables from the SimpleHelp server.
The server acts as a web application and proxy, mediating secure communication between technicians and customers. It supports unattended access, allowing technicians to interact with client machines without user input.
Sunkavally uncovered three critical vulnerabilities, which have been cataloged as follows:
- Unauthenticated Path Traversal (CVE Pending):Attackers can download arbitrary files from the server without authentication, exposing sensitive data such as serverconfig.xml, which contains hashed passwords, LDAP credentials, and API keys. This vulnerability is particularly severe as it provides attackers with access to encrypted configuration secrets, which are stored with hardcoded keys. “Depending on how SimpleHelp is configured, attackers can gain access to other types of secrets in various files such as LDAP credentials, OIDC client secrets, API keys, and TOTP seeds used for MFA,” researcher explains.
- Arbitrary File Upload to Remote Code Execution (CVE Pending):Authenticated attackers with admin privileges can upload arbitrary files, enabling remote code execution on the host machine. Attackers could deploy malicious scripts, such as a reverse shell, on Linux servers via crontab or overwrite executable files on Windows systems. “For Linux servers, an attacker could exploit this vulnerability to upload a crontab file to execute remote commands. For Windows servers, an attacker could overwrite executables or libraries,” researcher writes.
Source: Horizon3.ai - Privilege Escalation from Technician to Admin (CVE Pending):Due to missing backend authorization checks, technicians with low privileges can escalate to admin status by crafting specific network calls. Once escalated, attackers can exploit file upload vulnerabilities to take full control of the server. “Through a crafted sequence of network calls, a technician can promote themselves to an admin,” researcher warns.
The SimpleHelp version can be identified by querying the /allversions endpoint or inspecting the HTTP server header. Versions earlier than 5.5.8, 5.4.10, or 5.3.9 are vulnerable.
The vulnerabilities are described as “trivial to reverse and exploit,” raising concerns that they may already be exploited by threat actors.
Users are strongly advised to upgrade to SimpleHelp versions 5.5.8, 5.4.10, or 5.3.9 to mitigate these risks.
