Contents:
SolarWinds Corporation is a company based in the United States that creates software to assist organizations in managing their networks, systems, and information technology infrastructure.
Back in 2020 SolarWinds was affected by a large-scale cyber incident in which attackers injected malware into some routine software updates, as they were being rolled out to as many as 18,000 government entities and Fortune 500 companies, all clients of SolarWinds. It’s important to note that following this cyberattack, the US Congress became interested in enacting a federal law requiring breach notifications.
What Happened?
SolarWinds alerted clients about assaults on Internet-exposed Web Help Desk (WHD) instances and recommended that they be removed from publicly accessible infrastructure (likely to prevent the exploitation of a potential security flaw).
WHD is corporate helpdesk ticketing and IT inventory management software that is meant to assist clients in automating ticketing and IT asset management operations.
A SolarWinds customer reported an external attempted attack on their instance of Web Help Desk (WHD) 12.7.5. The customer’s endpoint detection and response (EDR) system blocked the attack and alerted the customer to the issue.
SolarWinds is currently investigating this report. We have not been able to reproduce the scenario, and are working with the customer to further the investigation.
In an abundance of caution, SolarWinds recommends all Web Help Desk customers whose WHD implementation is externally facing to remove it from your public (internet-facing) infrastructure until we know more. If you are not able to remove it from your public infrastructure at this time, we recommend you ensure you have EDR software deployed, and are monitoring the WHD instance.
Customers who cannot immediately remove WHD instances from Internet-exposed servers are advised to deploy EDR software and monitor them for attack attempts.
SolarWinds is working with the customer to investigate the report even though the company hasn’t been able to reproduce the scenario.
We received a report from one customer about an attempted attack that was not successful.
While we are investigating this matter, we have also alerted other customers about this potential issue out of an abundance of caution. At this point, we have no reason to believe other customers were impacted.
According to BleepingComputer, even though SolarWinds did not share specifics on the tools or tactics used in the assault, there are at least four separate security flaws that an attacker may exploit to target an unpatched WHD instance:
- Access Restriction Bypass Via Referrer Spoof – Business Logic Bypass Vulnerability (CVE-2021-32076) – Fixed in WHD 12.7.6
- Enabled HTTP PUT & DELETE Methods (CVE-2021-35243) – Fixed in WHD 12.7.7 Hotfix 1
- Hard-coded credentials allowing arbitrary HSQL queries execution (CVE-2021-35232) – Fixed in WHD 12.7.7 Hotfix 1
- Sensitive Data Disclosure Vulnerability (CVE-2021-35251) – Fixed in WHD 12.7.8
According to the CVE-2021-35251 advisory, attackers might use unpatched WHD instances to get access to environmental data about the Web Help Desk installation, making it simpler to exploit the other three security flaws.
Sensitive information could be displayed when a detailed technical error message is posted. This information could disclose environmental details about the Web Help Desk installation.