SolarWinds alerted customers about attacks on Web Help Desk (WHD) instances that were exposed to the Internet and recommended they remove those from publicly accessible infrastructure (likely to prevent the exploitation of a potential security flaw). WHD is a helpdesk ticketing and IT inventory management software for businesses that aim to automate ticketing and IT asset management operations.
SolarWinds stated, "A SolarWinds customer reported an external attempted attack on their instance of Web Help Desk (WHD) 12.7.5. The customer's endpoint detection and response (EDR) system blocked the attack and alerted the customer to the issue. In an abundance of caution, SolarWinds recommends all Web Help Desk customers whose WHD implementation is externally facing to remove it from your public (internet-facing) infrastructure until we know more."
Customers who are unable to remove WHD instances from servers that are accessible to the Internet should install EDR software and monitor them for attack attempts.
SolarWinds hasn't been able to replicate the scenario, the business is working with the customer to analyse the report.
A SolarWinds spokesperson told BleepingComputer, "We received a report from one customer about an attempted attack that was not successful. While we are investigating this matter, we have also alerted other customers about this potential issue out of an abundance of caution. At this point, we have no reason to believe other customers were impacted."
Although SolarWinds did not specify what tools or tactics were utilised in the attack, there are at least four security flaws that an attacker may use to target t an unpatched WHD instance:
• Access Restriction Bypass Via Referrer Spoof - Business Logic Bypass Vulnerability (CVE-2021-32076) - Fixed in WHD 12.7.6
• Enabled HTTP PUT & DELETE Methods (CVE-2021-35243) - Fixed in WHD 12.7.7 Hotfix 1
• Hard-coded credentials allowing arbitrary HSQL queries execution (CVE-2021-35232) - Fixed in WHD 12.7.7 Hotfix 1
• Sensitive Data Disclosure Vulnerability (CVE-2021-35251) - Fixed in WHD 12.7.8
According to the CVE-2021-35251 advisory, attackers might use unsecured WHD instances to gain access to environmental details about the Web Help Desk installation, making the other three security flaws easier to exploit.
