This notice was sent last night (March 15. 2022). It seems very vague and the evidence provided doesn't seem to warrant removing these servers from the Internet. We have our WHD servers behind an F5 load balancer with advanced web protections in addition to our network firewall and IPS plus local advanced threat protection. Removing these servers from the Internet would put a hit on our operations and will generate calls to the help desk from people unable to access the service.
What are the rest of you doing? I am thinking of riding this out until Solarwinds provides more info.
Also, would upgrading to 12.7.6 remediate the vulnerability?
Summary
A SolarWinds customer reported an external attempted attack on their instance of Web Help Desk (WHD) 12.7.5. The customer’s endpoint detection and response (EDR) system blocked the attack and alerted the customer to the issue.
SolarWinds is currently investigating this report. We have not been able to reproduce the scenario, and are working with the customer to further the investigation.
In an abundance of caution, SolarWinds recommends all Web Help Desk customers whose WHD implementation is externally facing to remove it from your public (internet-facing) infrastructure until we know more. If you are not able to remove it from your public infrastructure at this time, we recommend you ensure you have EDR software deployed, and are monitoring the WHD instance.
Affected Products
- Only Web Help Desk 12.7.5
