SolarWinds has alerted its customers against attacks targeting internet-exposed Web Help Desk (WHD) instances. The firm suggested removing instances with publicly accessible infrastructure.
The ongoing attacks
According to SolarWinds, one of its customers reported an attempted attack on an instance of WHD 12.7.5.
The customer's EDR system had stopped the attack and alerted them about the issue.
Further, the tech firm is working with the targeted customer to examine the report even though failing in reproducing the scenario.
Flaws in WHD instances
The tech firm did not provide any information regarding the used tools or techniques in the attack. However, there are four known security vulnerabilities an attacker may abuse in unpatched WHD instances.
The first flaw is an access Restriction Bypass Via Referrer Spoof - Business Logic Bypass Vulnerability (CVE-2021-32076), fixed in WHD 12.7.6.
The second flaw is an enabled HTTP PUT & DELETE Methods flaw (CVE-2021-35243), fixed in WHD 12.7.7 Hotfix 1.
The third is related to hard-coded credentials allowing arbitrary HSQL queries execution (CVE-2021-35232), fixed in WHD 12.7.7 Hotfix 1.
The last one is sensitive Data Disclosure Vulnerability (CVE-2021-35251), fixed in WHD 12.7.8.
An attacker may take advantage of unpatched WHD instances (CVE-2021-35251) for getting access to environmental details about the installation for exploitation of the other three security flaws.
Words of caution
SolarWinds recommends all its customers use WHD with an externally facing implementation to remove it from the internet.
Moreover, customers who are unable to remove WHD instances from internet-exposed servers are recommended by SolarWinds to deploy EDR software and monitor them for attack attempts.
Ending notes
Although the recent attacks attempt failed, the customers with an unpatched WHD instance are still prone to some risk. Thus, users should immediately apply the patches to fix the exploited flaws. Further, always use a reliable anti-malware solution for better protection.