We have found what appears to be a major security flaw in Web Help Desk with relation to tech accounts and LDAP authentication. We first reported this problem to Solarwinds on April 9, 2017. Solarwinds acknowledges that this is a bug in their product (“our development group has investigated your issue and have identified a bug in our product”) but, to date, I’ve not seen a solution or even a customer advisory from Solarwinds.
Past security flaws I’ve brought to Solarwinds’ attention have taken, what I consider, an unacceptably long time for them to fix. As a result, I’ve made the decision to publicly release the information on this flaw so that other customers to safeguard their systems as well as to pressure Solarwinds to fix it.
Disclaimer: I’m not a security researcher, nor do I have any specialized security training. I’m a general IT guy. We’ve seen this security flaw on our version of WHD (220.127.116.117) and I believe that Solarwinds has replicated the problem on their side. I have no idea how easy it is to replicate this on other systems, what exactly is required for it to happen or what versions of WHD may be susceptible.
The Details: We have multiple companies and multiple LDAP connections on our WHD instance. Typically, users log in with their full email address and LDAP password.
We recently had an end user (not a tech) log into the system with their LDAP user name and password, instead of their email and password. Normally this wouldn’t work but in this case, it did. After investigating, we found that, by fluke, their user name is the same as one of our tech’s defined “user names” in WHD. This end user was then logged into our system as our technician under his account – not into the system as the user in question. This meant the end user had full tech access to WHD!
Here’s a theoretical example of how this flaw works:
Tech’s Company: Company 1
Tech’s WHD name: John Smith
Tech’s WHD email: firstname.lastname@example.org
Tech’s WHD tech user name: JSmith
User’s Company: Company 2
User’s LDAP name: Janette Smith
User’s LDAP email address: email@example.com
User’s LDAP ID: JSmith
If Janette logs in as “firstname.lastname@example.org” with her normal password, everything works correctly. If Janette logs in as “jsmith” with her normal password, WHD will log her in as the tech John Smith!
At this time we don’t have a good workaround for this security flaw but Solarwinds has suggested the following: “Set Setup->Techs->Techs->[Affected Tech]->Account Info->LDAP Authentication to false and delete linked client account. The tech will then have to login using username/password from WHD or as a client using email and password from LDAP.”