50 Replies Latest reply on Nov 24, 2017 7:06 AM by milan.hulik

    Web Help Desk® 12.5.1 Hotfix 1

    rodegard

      Hi Twack Community.

       

      I'm confused about 12.5.1 Hotfix 1.  The release notes state the correction will prevent Techs from signing on via LDAP authentication.  I ran the first script in the Hotfix and it identified all of our active Techs.  Does this vulnerability mean I have to have all Techs use a separate password?  Or does it mean I have to prevent clients from using LDAP.  Asking clients to provide a password to use WHD will not be an acceptable solution for our company.

       

      Any and all advice is welcome !!

       

      Thanks.

       

      Rick

        • Re: Web Help Desk® 12.5.1 Hotfix 1
          typhoon87

          I agree that the language in the description is confusing.

          • Re: Web Help Desk® 12.5.1 Hotfix 1
            mbelcik

            Would also like clarification on this.

            • Re: Web Help Desk® 12.5.1 Hotfix 1
              rodegard

              In the Solarwinds Customer Portal, under Downloads.  Click on the What’s New in this Hot Fix for details.

               

               

              1 of 1 people found this helpful
                • Re: Web Help Desk® 12.5.1 Hotfix 1
                  pabely

                  The way this was described to me by support was that in doing this routine (which only applies to LDAP enabled Techs), is should the LDAP Server go down, the new recorded Password in the DB can be used as a fallback which is correctly stored with a MD5 hash in the DB.

                  Thus your Techs can still login without you having to manually change the LDAP enable settings per Tech in the TECH table, previously we advised any Tech Admins not to use LDAP so they had a backdoor, with this change they can have a LDAP login as well.

                  2 of 2 people found this helpful
                    • Re: Web Help Desk® 12.5.1 Hotfix 1
                      johndcciu

                      If this is the case, why does the script clear the LDAP flag?  Why not just generate a new local password, but leave the LDAP flag in place?  This hotfix is very badly explained/documented.  It says nothing official about "two or more LDAP connectons" and there doesn't seem to be any reason to disable LDAP in the script if the issue is just to generate a new fallback password.

                       

                      Can someone official from SolarWinds weigh in on this?  And whoever does that should also tell whoever wrote the documentation for this HotFix to rewrite it to be complete and make some sense.

                        • Re: Web Help Desk® 12.5.1 Hotfix 1
                          milan.hulik

                          It clears it to get you ready for upcoming release, where there will be no LDAP flag for tech (even if you have only 1 LDAP connection). So the best thing you can do now, is to set WHD password for all your techs, link all tech accounts with respective client accounts and have LDAP enabled for client (where you use full email address to log in to WHD).

                    • Re: Web Help Desk® 12.5.1 Hotfix 1
                      rodegard

                      I’m not sure – but it appears this may be an authentication issue with your MySQL database?  The Tech table is core.  I ran the SQL against our MS SQL table and it worked.  I have to run the SQL using an ID that has access to the tables.

                      • Re: Web Help Desk® 12.5.1 Hotfix 1
                        milan.hulik

                        This HotFix is optional. Vulnerability exists only if you use 2 or more LDAP connections.

                         

                        1st script will return you a list of all tech accounts, that are vulnerable.

                        2nd script will then disable affected Techs to log in with their LDAP password, but will force all techs to use WHD password to log in.

                         

                        You can then link Tech account with tech's Client account (create 1 if you do not have for each tech) - this will enable tech to use his client's account LDAP credentials to connect to Tech view.

                          • Re: Web Help Desk® 12.5.1 Hotfix 1
                            ddevore9

                            Quick question, currently all of my tech accounts are linked to client accounts.  On my own tech account I removed the LDAP authentication and set a password manually.  I verified there is a client account associated with my account but now I can't login using my LDAP password.  I have not applied this patch yet, will the patch correct this?  If so since all of my techs are linked to their client accounts will our guys need to change anything if I don't want them to have the local non-ldap password?

                              • Re: Web Help Desk® 12.5.1 Hotfix 1
                                mbelcik

                                I'm able to confirm this as well.  I am unable to to login with client account via ldap after disabling ldap on my tech account.

                                  • Re: Web Help Desk® 12.5.1 Hotfix 1
                                    milan.hulik

                                    Are you guys using full email address as a username? You need to login with the client account and once you are logged in, switch to tech account by clicking the blue icon in the top right corner.

                                      • Re: Web Help Desk® 12.5.1 Hotfix 1
                                        johndcciu

                                        Yes, I can confirm the same issue:

                                        • Logged into my Tech (Admin) account with username "JohnD"
                                        • Uncheckmarked LDAP on my Tech account
                                        • Set a password (different from my LDAP password) for my Tech account
                                        • Confirmed that my Tech account was linked to my LDAP Client account
                                        • Logged out
                                        • Attempted to login as "JohnD@mydomain.org" with my LDAP password.  Login failed with "invalid user name or password" message.
                                        • Still able to login to my Tech account with the new manually-set non-LDAP password.

                                         

                                        Note that all of my users have always logged in with their plain username (the part before the "@" in their email address), not their full email address.  That's the way it has been since we set up WHD, which has always been linked/synced to our Active Directory.

                                          • Re: Web Help Desk® 12.5.1 Hotfix 1
                                            ddevore9

                                            This exactly what we are seeing. 

                                             

                                            How is making out technicians login with a non-ldap password or as a client then switching every time more secure?  Pretty much every other service we use manages to securely work using LDAP connections.  This leaves more passwords to manage and depends on the users picking a secure password and changing it on a regular basis.

                                             

                                            Having the techs login as a client then switch is really a very cheesy approach.

                                              • Re: Web Help Desk® 12.5.1 Hotfix 1
                                                mbelcik

                                                Agreed.  This is completely unacceptable.  LDAP authentication for techs is a necessity in our implementation.  I can't believe such a core feature would be removed.

                                                • Re: Web Help Desk® 12.5.1 Hotfix 1
                                                  milan.hulik

                                                  Dennis, WHD remembers, what view (tech or client) you logged out from. If you log out from tech view and then use your client's account LDAP credentials, you'll be automatically logged in to your tech view.

                                                   

                                                  I am not going to explain, how to reproduce the vulnerability (I don't want to give advice to malicious users). If you want to know more about the vulnerability, send me private message with your availability and I'll give you a call.

                                                • Re: Web Help Desk® 12.5.1 Hotfix 1
                                                  milan.hulik

                                                  Hi John,

                                                  so you use User Name as a client login attribute. I assumed, that you use email, as that is the default setting.

                                                  So when you link the tech and client account:

                                                  1. log in using your client user name and client's LDAP password (HF is not touching client LDAP functionality, so your clients should be able to log in as usually).
                                                  2. when you're logged in, switch to your tech account
                                                  3. log out
                                                  4. log in again using your client's credentials
                                                  5. you should end up in tech view for the tech account (WHD remembers, what view you logged out from).

                                                   

                                                  Let me know, if that worked.

                                                  Milan