Remote Support
Remote Access
Monitoring and Management
Presentation
Remote Work
Standard
Business
Enterprise
Security Vulnerabilities in SimpleHelp 5.5.7 and earlier
SimpleHelp versions 5.5.7 and earlier are vulnerable to a set of security exploits. This Knowledge Base article discusses the impact of these security vulnerabilities, and the steps customers can take to secure SimpleHelp.
Updates
- Added 5.3.9 patch, and password reset instructions.
Suggested Action Summary
These exploits are severe. Please upgrade or patch your SimpleHelp version to a secure release as soon as possible.
We also recommend taking these steps:
- Change the Administrator password of the SimpleHelp server.
- Change the passwords for Technician accounts, where the technician's do not log in using a third party authentication service.
- Restrict the IP addresses that the SimpleHelp server can expect Technician and Administrator logins from, where possible.
Vulnerability Details
Following an independent audit of SimpleHelp, three possible exploits were discovered that affect SimpleHelp:
A malicious user can use a customised download URL to download resources from a SimpleHelp server that are not intended for distribution. These might include application resources, or data not related to SimpleHelp.
A malicious user that has technician access to a SimpleHelp instance can use a customised sequence of Technician Console commands to gain Administrator Technician access to the SimpleHelp server.
A malicious user that has technician access to a SimpleHelp instance can use a customised sequence of Technician Console commands to write data on the server outside of expected data storage locations.
Affected Versions
These exploits impact SimpleHelp v5.5.7 and earlier releases.
Steps to Secure SimpleHelp
The easiest method to prevent malicious access is to upgrade your SimpleHelp server as soon as possible.
- SimpleHelp v5.5 Users - A new release of SimpleHelp v5.5.8 is available now that resolves these vulnerabilities. It is currently available on our Download Page.
- SimpleHelp v5.4 Users - A patch for SimpleHelp v5.4.10 is now available. Instructions for downloading and applying this patch are detailed below.
- SimpleHelp v5.3 Users - A patch for SimpleHelp v5.3.9 is now available. Instructions for downloading and applying this patch are detailed below.
While we do not know of any exploits of this vulnerability, it is possible that the server's configuration file could be exposed. We therefore recommend taking these additional steps, where possible:
- Change the Administrator password of the SimpleHelp server. See Administration Guide for details.
- Change the passwords for Technician accounts, where the technician's do not log in using a third party authentication service like Active Directory. See Administration Guide for details.
- Restrict the IP addresses that the SimpleHelp server can expect Technician and Administrator logins from, where possible. See Login Restrictions for details.
Upgrading to v5.5.8
Download and install the latest release on our Download Page for your server platform.
- Windows Download and run the server installer on your SimpleHelp server. The server will automatically update and your configuration will be preserved.
- Linux We suggest using the Linux Installation Script to easily upgrade your Linux SimpleHelp instance.
If you access the /allversions page of your SimpleHelp server you will see the server version listed:
Visual Version: 5.5.8
Patching v5.4.10
This patch is specifically for customers running v5.4.10. The steps to apply the patch are as follows:
- Stop your SimpleHelp server instance.
- On Windows stop the SimpleHelp Server Windows service.
- On Linux, run the serverstop.sh script.
- In your SimpleHelp server's installation location, overwrite the file lib/shelp-jar-with-dependencies.jar with this version (the SHA1 digest of this file is d5db71980f853ae47970adc4328d6a5e11e52ba4).
- Start your SimpleHelp server instance.
To verify the patch has been applied, check the server's log for the Patch line:
[SimpleHelp] Server Version v5.4.10
...
[SimpleHelp] Patch 070125
Patching v5.3.9
This patch is specifically for customers running v5.4.10. The steps to apply the patch are as follows:
- Stop your SimpleHelp server instance.
- On Windows stop the SimpleHelp Server Windows service.
- On Linux, run the serverstop.sh script.
- In your SimpleHelp server's installation location, overwrite the files (secure_utils.jar, secure_nlink.jar, secure_shelp.jar) in the lib directory with this version (the SHA1 digest of this ZIP is c490c1d715bac726d2414022c7d9afef5534566d).
- Start your SimpleHelp server instance.
To verify the patch has been applied, check the server's log for the Patch line:
[SimpleHelp] Server Version v5.3.9
...
[SimpleHelp] Patch 070125
Send us your Questions
Please Contact Us with any queries, or if you need more information.