Vulnerabilities in the SimpleHelp remote access software are trivial to exploit and could allow attackers to compromise the server and client machines, cybersecurity firm Horizon3.ai reports.

SimpleHelp provides remote support solutions that include file transfer, diagnostics, and task automation capabilities. It uses clients running on customers’ machines and a server that acts as a web application and a proxy between the customers and technicians.

The SimpleHelp infrastructure relies on three roles, namely an administrator that configures the SimpleHelp server, technicians that provide the required support, and customers that ask for assistance.

The solution also provides an ‘unattended remote access’ mode, which allows technicians to connect to customers’ machines without customer interaction.

Upon installation, SimpleHelp creates an administrative account that can also be used as a technician, but SimpleHelp recommends disabling the account and creating separate technician accounts instead, as these can also be designated as administrators.

Horizon3.ai’s analysis of the remote access solution revealed a path traversal vulnerability that enables unauthenticated attackers to retrieve arbitrary files from the SimpleHelp server.

Tracked as CVE-2024-57727 (CVSS score of 7.5), the bug could allow attackers to retrieve logs and configuration files, which are encrypted with a hardcoded key, and to access LDAP credentials, OIDC client secrets, API keys, and other secrets.

A second issue, tracked as CVE-2024-57728 (CVSS score of 7.2), could allow attackers who log in as administrators or technicians to upload arbitrary files anywhere on the server host.

The attacker could execute remote commands on Linux systems, or gain remote code execution on Windows by overwriting SimpleHelp executables and libraries.

“Admins also have the ability to interact with any connected customer machines or access customer machines directly if unattended access is configured,” Horizon3.ai says.

A third security defect, tracked as CVE-2024-57726 (CVSS score of 9.9), could allow an attacker logged in as a low-privilege technician to elevate their privileges to administrator.

Because some admin functions were found to be missing backend authorization checks, a technician could use a crafted sequence of network calls to obtain admin privileges, and then exploit the arbitrary file upload flaw to take over the SimpleHelp server.

SimpleHelp was notified of these vulnerabilities on January 6 and released patches for them on January 8 and January 13. SimpleHelp versions 5.5.8, 5.4.10, and 5.3.9 contain the necessary fixes.

“While we do not know of any exploits of this vulnerability, it is possible that the server’s configuration file could be exposed,” SimpleHelp notes in its advisory, urging customers to update their installations as soon as possible and to change the passwords for the administrator and technician accounts.

Related: Critical Aviatrix Controller Vulnerability Exploited Against Cloud Environments

Related: Infostealer Masquerades as PoC Code Targeting Recent LDAP Vulnerability

Related: Great Power or Great Vulnerability? Securing 5G and 6G Networks

Related: Google Launches XS-Leaks Vulnerability Knowledge Base