Critical Pre-Authentication SQL Injection vulnerability reported in Halo ITSM
Take action: If you are running on-premise Halo ITSM software, check if you can isolate it from the internet. If not patch immediately, because hackers will attack your system - probably through automatic attacks. If you can isolate, you have some breathing room, but don't ignore this flaw.
Learn More
Searchlight Cyber has discovered a critical pre-authentication SQL injection vulnerability in Halo ITSM (IT Support Management) software.
The vulnerability is tracked as CVE-2024-0402 (CVSS score 9.9), and allows unauthenticated attackers to execute arbitrary SQL queries against the Halo ITSM database by exploiting a weakness in the PostLogMeIn function within the PostNotify controller. The issue stems from inadequate type enforcement where user input from an untyped dictionary object is directly concatenated into SQL queries without proper sanitization.
This vulnerability could allow attackers to read sensitive data from the IT support database, including credentials and internal documentation, modify or insert data into the database, add themselves as administrators and completely compromise the system and gain access to integrated systems and cloud providers connected to Halo ITSM
The vulnerability affects approximately 1,000 cloud deployments of Halo ITSM under the haloitsm.com domain, plus an undisclosed number of on-premise deployments. Halo ITSM is considered critical infrastructure as it houses IT support tickets often containing credentials and internal documentation.
The vulnerabilities have been patched in:
- Version 2.174.94
- Candidate version 2.184.23
- Beta version 2.186.2
On-premise customers are urged to upgrade immediately to these or later versions.
