SolarWinds warns of attacks targeting Web Help Desk instances

SolarWinds warned customers of attacks targeting Internet-exposed Web Help Desk (WHD) instances and advised removing them from publicly accessible infrastructure (likely to prevent the exploitation of a potential security flaw).

WHD is an enterprise helpdesk ticketing and IT inventory management software designed to help customers automate ticketing and IT asset management tasks.

"A SolarWinds customer reported an external attempted attack on their instance of Web Help Desk (WHD) 12.7.5. The customer's endpoint detection and response (EDR) system blocked the attack and alerted the customer to the issue," SolarWinds said.

"In an abundance of caution, SolarWinds recommends all Web Help Desk customers whose WHD implementation is externally facing to remove it from your public (internet-facing) infrastructure until we know more."

Customers who cannot immediately remove WHD instances from Internet-exposed servers are advised to deploy EDR software and monitor them for attack attempts.

SolarWinds is working with the customer to investigate the report even though the company hasn't been able to reproduce the scenario.

"We received a report from one customer about an attempted attack that was not successful," a SolarWinds spokesperson told BleepingComputer.

"While we are investigating this matter, we have also alerted other customers about this potential issue out of an abundance of caution. At this point, we have no reason to believe other customers were impacted."

Web Help Desk vulnerabilities

Although SolarWinds did not provide any details on what tools or techniques were used in the attack, there are at least four different security vulnerabilities an attacker could exploit to target an unpatched WHD instance:

• Access Restriction Bypass Via Referrer Spoof - Business Logic Bypass Vulnerability (CVE-2021-32076) - Fixed in WHD 12.7.6
• Enabled HTTP PUT & DELETE Methods (CVE-2021-35243) - Fixed in WHD 12.7.7 Hotfix 1
• Hard-coded credentials allowing arbitrary HSQL queries execution (CVE-2021-35232) - Fixed in WHD 12.7.7 Hotfix 1
• Sensitive Data Disclosure Vulnerability (CVE-2021-35251) - Fixed in WHD 12.7.8

As detailed in the CVE-2021-35251 advisory, attackers could exploit unpatched WHD instances to access environmental details about the Web Help Desk installation, which might make abusing the other three security bugs easier.