How to remediate – SolarWinds Web Help Desk – Web Detection

1. Introduction

The SolarWinds Web Help Desk – Web Detection vulnerability means the web interface for this help desk software is accessible from your network. This matters because an exposed web interface increases the risk of unauthorised access and potential compromise. Systems running SolarWinds Web Help Desk are usually affected, with a likely impact on confidentiality, integrity, and availability if exploited.

2. Technical Explanation

The vulnerability occurs when the web interface for SolarWinds Web Help Desk is publicly accessible. An attacker can attempt to access the interface remotely. There is no known CVE associated with this detection at present. A simple example of exploitation would be an attacker attempting to log in using default credentials or exploiting a potential flaw within the web application itself. All versions of SolarWinds Web Help Desk are potentially affected if exposed.

• Root cause: The web interface is accessible without appropriate network controls.
• Exploit mechanism: An attacker attempts to access the web interface and exploit any vulnerabilities present, such as weak authentication or unpatched flaws.
• Scope: All SolarWinds Web Help Desk installations with a publicly exposed web interface.

3. Detection and Assessment

Confirming exposure involves checking for an active web service on the standard ports. A thorough method is to attempt access from outside your network.

• Quick checks: Use netstat -an | grep 80 or netstat -an | grep 443 to check if port 80 (HTTP) and/or 443 (HTTPS) are listening on the server.
• Scanning: Nessus plugin ID 16597 can detect exposed SolarWinds Web Help Desk instances, but results should be verified manually.
• Logs and evidence: Check web server logs for access attempts to URLs associated with SolarWinds Web Help Desk.

netstat -an | grep 80

4. Solution / Remediation Steps

Fixing this issue involves restricting network access to the web interface or removing it entirely if not required.

4.1 Preparation

• Ensure you have documented the current configuration for roll back purposes. A roll back plan is to restore the snapshot or revert firewall rules.
• A change window may be needed, depending on your organisation’s policies and impact of downtime. Approval from a system owner might be required.

4.2 Implementation

1. Step 1: Block external access to ports 80 and 443 using your firewall.
2. Step 2: If the web interface is not needed, uninstall SolarWinds Web Help Desk.

4.3 Config or Code Example

Before

#Example firewall rule allowing access from any source
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

After

#Example firewall rule blocking external access, allowing only internal IPs
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

4.4 Security Practices Relevant to This Vulnerability

Practices that directly address this vulnerability type include least privilege and network segmentation. Least privilege reduces the impact if exploited, while network segmentation limits access to sensitive services.

• Practice 1: Implement a principle of least privilege for all services.
• Practice 2: Segment your network to isolate critical systems.

4.5 Automation (Optional)

#Example PowerShell script to block port 80 with Windows Firewall
New-NetFirewallRule -DisplayName "Block SolarWinds Web Help Desk Port 80" -Direction Inbound -Action Block -Protocol TCP -LocalPort 80

5. Verification / Validation

Confirm the fix by checking that external access is blocked and the service remains functional internally.

• Post-fix check: Use an online port scanner (e.g., https://www.yougetsignal.com/tools/open-ports/) to verify ports 80 and 443 are closed from outside your network.
• Re-test: Re-run the netstat -an | grep 80 command to confirm the service is still listening internally if required.
• Smoke test: Attempt to access the web interface from a trusted internal machine to ensure functionality remains intact if needed.
• Monitoring: Monitor firewall logs for blocked connection attempts to ports 80 and 443 on the server’s IP address.

#Example output showing port 80 closed
netstat -an | grep 80
(No results returned)

6. Preventive Measures and Monitoring

Update security baselines to include network segmentation rules for all web applications. Add checks in your CI/CD pipeline to prevent exposing unnecessary ports. Implement a regular patch review cycle.

• Baselines: Update your firewall baseline or policy to block external access by default.
• Pipelines: Incorporate static analysis tools (SAST) into your build process to identify potential vulnerabilities in web applications.
• Asset and patch process: Review all server configurations regularly for unnecessary exposed ports.

7. Risks, Side Effects, and Roll Back

Blocking external access may disrupt legitimate users if they require remote access. Uninstalling the software will remove functionality. To roll back, restore the snapshot or revert firewall rules.

• Risk or side effect 1: Blocking external access could impact remote support staff. Mitigation is to allow specific IP addresses through the firewall.
• Risk or side effect 2: Uninstalling SolarWinds Web Help Desk removes its functionality. Mitigation is to ensure alternative help desk solutions are in place.
• Roll back: Step 1: Restore the server snapshot. Step 2: Revert any changes made to firewall rules.

8. References and Resources

• Vendor advisory or bulletin: https://www.solarwinds.com/web-help-desk