Wednesday, September 4, 2024

What is this, 1990?

SolarWinds issues security patch to eliminate hard coded password:

SolarWinds left hardcoded credentials in its Web Help Desk product that can be used by remote, unauthenticated attackers to log into vulnerable instances, access internal functionality, and modify sensitive data

The software maker has now issued an update to address that critical oversight; its users are encouraged to install the fix, which presumably removes the baked-in creds.

[blink] [blink]

What makes this even more double-plus ungood is that SolarWinds is a security company.  They know that hard coded passwords are not just A Very Bad Thing Indeed, but considered harmful*.

I guess the only other possibility is that they don't know this, but I just don't believe that.  Heads should roll over this.

* Old computing graybeards will remember the ACM paper "GoTo Considered Harmful" which created such a furor that "considered harmful" is now considered harmful when used descriptively.

Except here, where it is 100% justified.

5 comments:

  1. Jesus...again?
    SolarWinds was all over us to use their products like...15 years ago. I said "hell no, we only run open source software for our remote access because we can verify the security". Then the first big SolarWinds breach happened back in...what? 2020?... due to hard-coded credentials or buggy software. A bunch of my competitors were affected. They hit us up again, and got the same response. They offered steep discounts. Same response.

    Here we are 4 years later, and I'm still being justified.
    People need to stop hiring point-and-click admins and then spending truckloads of cash on Fisher Price My First IT Job software to run things. Meanwhile my remote access and management costs still consist of about $30/mo worth of virtual machines...and it easily handles ~100 clients and tens of thousands of machines. $30/mo if you're smart enough, or $2.50 * ~15,000 computers per month if you're a point-and-click MSP.

    *sigh*

    ReplyDelete
  2. Fisher Price My First IT Job software

    Aaron, the Internets you just won will be available for pickup shortly, at the usual place. ;-)

    ReplyDelete
  3. So SolarWinds is a company run from a Five Eyes/Nine Eyes/Fourteen Eyes country and people are surprised at what they do?
    NEVER trust any software from such a company.
    And that definitely includes Microsoft products!

    ReplyDelete
  4. Then FORTRAN programmers hit back with "Letter O Considered Harmful".

    ReplyDelete

Remember your manners when you post. Anonymous comments are not allowed because of the plague of spam comments.