UK-based Halo recently patched a potentially serious vulnerability in its IT service management (ITSM) software, attack surface management firm Assetnote reported on Wednesday.
According to Assetnote, HaloITSM is affected by an SQL injection vulnerability that could be exploited by an unauthenticated attacker. Roughly 1,000 cloud deployments may have been vulnerable to remote attacks, in addition to on-premises deployments exposed to network attackers.
A threat actor could exploit the vulnerability to read, modify, or insert data into the ITSM software, explained Assetnote, a Searchlight Cyber company.
“As an IT Support Management tool, Halo is often integrated with various internal and external systems and cloud providers, as well as containing sensitive information such as configuration files and credentials,” said Shubham Shah, SVP of Engineering and Research at Searchlight.
Shah added, “This means that an attacker could have used this vulnerability to compromise any of the integrated systems, obtain sensitive data stored on the system, or even add themselves as an administrator and take over the instance.”
The vendor has patched the vulnerability with the release of versions 2.174.94, 2.184.23 (candidate), and 2.186.2 (beta), and on-premises instances should be updated as soon as possible.
Assetnote pointed out that while this particular vulnerability has been patched, its analysis indicates that the Halo product has a large attack surface, being exposed particularly to post-authentication attacks.
The security firm has made available technical details for the SQL injection vulnerability found in HaloITSM.
Related: Details Emerge on CVE Controversy Around Exploited CrushFTP Vulnerability
Related: Google Released Second Fix for Quick Share Flaws After Patch Bypass
Related: Critical Vulnerability Found in Canon Printer Drivers
