SolarWinds warned customers about attacks targeting Internet-facing Web Help Desk (WHD) instances and advised removing them from publicly accessible infrastructure (which may prevent exploitation of a potential security vulnerability).
WHD is an IT inventory management and enterprise help desk ticket management software designed to help customers automate IT ticket and asset management tasks.
“A SolarWinds customer reported an attempted external attack on their Web Help Desk (WHD) 12.7.5 instance. The customer’s Endpoint Detection and Response (EDR) system blocked the attack and alerted the customer to the issue,” SolarWinds said.
“With great caution, SolarWinds recommends that all Web Help Desk customers with external WHD implementations remove it from your public (internet-facing) infrastructure until we know more.”
Customers who cannot immediately remove WHD instances from Internet-facing servers are encouraged to deploy EDR software and monitor attack attempts.
SolarWinds is working with the customer to investigate the report even though the company was unable to replicate the scenario.
“We received a report from a customer regarding an attempted attack that was unsuccessful,” a SolarWinds spokesperson told BleepingComputer.
“While we investigate this matter, we have also alerted other customers to this potential issue out of an abundance of caution. At this stage, we have no reason to believe any other customers have been affected.”
Web Help Desk Vulnerabilities
Although SolarWinds did not provide any details about the tools or techniques used in the attack, there are at least four different security vulnerabilities an attacker could exploit to target an unpatched WHD instance:
- Bypassing Access Restriction via Referrer Spoofing – Business Logic Bypass Vulnerability (CVE-2021-32076) – Fixed in WHD 12.7.6
- HTTP PUT & DELETE methods enabled (CVE-2021-35243) – Fixed in WHD 12.7.7 Hotfix 1
- Hard-coded credentials allowing execution of arbitrary HSQL queries (CVE-2021-35232) – Fixed in WHD 12.7.7 Hotfix 1
- Sensitive Data Disclosure Vulnerability (CVE-2021-35251) – Fixed in WHD 12.7.8
As detailed in CVE-2021-35251, attackers could exploit unpatched WHD instances to gain access to environmental details of the Web Help Desk installation, which could facilitate abuse of the other three security bugs.