SimpleHelp — CraftedSignal Threat Feed

SimpleHelp Missing Authorization Vulnerability Leads to Privilege Escalation

hello@craftedsignal.io — Tue, 25 Jun 2024 12:00:00 +0000

CVE-2024-57726 affects SimpleHelp, a remote support software solution. This vulnerability stems from a missing authorization check, allowing low-privileged technicians to create API keys with elevated permissions beyond their intended scope. Specifically, these API keys can be manipulated to grant server admin privileges, potentially enabling unauthorized access to sensitive data and critical system configurations. The vulnerability impacts SimpleHelp versions 5.5.7 and earlier. Successful exploitation allows attackers to bypass intended access controls, gain complete control over the SimpleHelp server, and potentially pivot to other systems within the network. This vulnerability was disclosed in January 2025, and organizations using affected SimpleHelp versions are at risk.

Attack Chain

A low-privileged technician logs into the SimpleHelp console with their existing credentials.
The technician leverages the missing authorization vulnerability to create a new API key.
During API key creation, the attacker manipulates the request to assign excessive permissions beyond their authorized access level.
The attacker uses the newly created API key to authenticate against the SimpleHelp API.
The attacker leverages the elevated permissions granted by the manipulated API key to access administrative functions.
The attacker escalates their privileges to the server admin role, granting them complete control over the SimpleHelp server.
The attacker uses the server admin role to access sensitive data, modify system configurations, or create new administrative accounts.
The attacker potentially pivots to other systems within the network using the compromised SimpleHelp server as a stepping stone.

Impact

Successful exploitation of CVE-2024-57726 allows low-privileged technicians, or malicious actors who have compromised technician accounts, to escalate their privileges to the server admin role in SimpleHelp. This grants them complete control over the SimpleHelp server, potentially leading to data breaches, system downtime, and further compromise of the network. The vulnerability affects organizations using SimpleHelp versions 5.5.7 and earlier. The number of victims and specific sectors targeted remain unknown, but the potential impact is significant due to the sensitive nature of remote support software.

Recommendation

Apply mitigations provided by SimpleHelp to patch the missing authorization vulnerability in SimpleHelp versions 5.5.7 and earlier (reference: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier).
Deploy the Sigma rule Detect Suspicious SimpleHelp API Key Creation to identify attempts to create API keys with excessive permissions.
Follow applicable BOD 22-01 guidance for cloud services or discontinue use of SimpleHelp if mitigations are unavailable.

SimpleHelp Path Traversal Vulnerability (CVE-2024-57728)

hello@craftedsignal.io — Tue, 25 Jun 2024 10:00:00 +0000

A path traversal vulnerability exists within SimpleHelp, identified as CVE-2024-57728. This flaw enables authenticated administrators to upload arbitrary files to any location on the server’s file system. This is achieved through the use of a specially crafted ZIP archive (a technique known as Zip Slip). Successful exploitation allows an attacker to execute arbitrary code within the security context of the SimpleHelp server user. The vulnerability impacts SimpleHelp versions 5.5.7 and earlier. Defenders should apply vendor-provided mitigations or discontinue use of the software.

Attack Chain

An attacker gains administrative access to the SimpleHelp console, either through compromised credentials or exploiting a separate authentication bypass.
The attacker crafts a malicious ZIP archive containing a file with a path traversal sequence (e.g., “../../ malicious.exe”) in its filename.
The attacker uploads the crafted ZIP archive to the SimpleHelp server through a file upload functionality available to administrators.
The SimpleHelp server extracts the contents of the ZIP archive without proper validation of the file paths.
The file with the path traversal sequence is extracted to an arbitrary location on the file system outside of the intended upload directory.
The attacker leverages a method to execute the uploaded malicious executable. This could involve overwriting an existing system utility or service executable.
The malicious executable runs with the privileges of the SimpleHelp server user.
The attacker achieves arbitrary code execution on the host, potentially leading to complete system compromise, data exfiltration, or deployment of ransomware.

Impact

Successful exploitation of CVE-2024-57728 allows an attacker to execute arbitrary code on the SimpleHelp server with the privileges of the SimpleHelp service account. This can result in a full compromise of the SimpleHelp server, potentially leading to data theft, service disruption, or further lateral movement within the network. The vulnerability affects SimpleHelp installations, and the impact is high due to the potential for complete system takeover.

Recommendation

Apply the mitigations provided by SimpleHelp to patch the vulnerability. Refer to the vendor advisory for instructions: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier
Monitor SimpleHelp server file uploads for ZIP archives containing path traversal sequences (e.g., “../”) in filenames using a file integrity monitoring system (FIM) or endpoint detection and response (EDR) solution. Deploy the “Detect SimpleHelp Path Traversal ZIP Upload” Sigma rule to identify suspicious ZIP files.
Implement strict access controls and regularly audit administrative access to the SimpleHelp console to prevent unauthorized users from exploiting the vulnerability.