SimpleHelp Remote Support Software Privilege Escalation Vulnerability

A vulnerability in SimpleHelp remote support software versions 5.5.7 and prior allows low-privilege technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role. The vulnerability arises from missing backend authorization checks on certain admin functions, enabling technicians to promote themselves to admin through a crafted sequence of network calls. Once elevated to admin, a technician could exploit other vulnerabilities to compromise the SimpleHelp server and connected client machines.

Impact

Exploitation of this vulnerability allows low-privilege technicians to gain administrative rights on the SimpleHelp server. This privilege escalation could lead to unauthorized access and control over connected client machines, especially if unattended access is configured, potentially allowing for further exploitation or unauthorized actions on those machines.

Remediation

Users are advised to upgrade to SimpleHelp versions 5.5.8, 5.4.10, or 5.3.9. Instructions for applying the patch are available on the SimpleHelp website.