SolarWinds Web Help Desk <= 12.7.6 Arbitrary Code Execution

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(169457);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/01/04");

  script_cve_id("CVE-2021-35232");

  script_name(english:"SolarWinds Web Help Desk <= 12.7.6 Arbitrary Code Execution");

  script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote host is affected by an arbitrary code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of SolarWinds Web Help Desk installed on the remote host is prior to or equal to 12.7.6. It is, therefore,
affected by an arbitrary code execution vulnerability. Through hard coded credentials, an attacker with local access to 
the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the
vulnerability to steal the password hashes of the users or insert arbitrary data into the database. 

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5c1a0820");
  # https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35232
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?20b696d9");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Web Help Desk version 12.7.7 Hotfix 1 or later.");
  script_set_attribute(attribute:"agent", value:"windows");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-35232");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/09/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/12/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/01/03");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:solarwinds:web_help_desk");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("solarwinds_web_help_desk_detect.nbin", "solarwinds_web_help_desk_installed.nbin");
  script_require_keys("installed_sw/Solarwinds Web Help Desk");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::combined_get_app_info(app:'Solarwinds Web Help Desk');

# according to the advisory, <= 12.7.6 is vulnerable and 12.7.7 Hotfix 1 is offered as a fix
# however it does not explicitly indicate if 12.7.7 is safe or vuln
var constraints = [
  {'min_version':'0.0', 'fixed_version':'12.7.7', 'fixed_display':'12.7.7 Hotfix 1'}
];

vcf::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_NOTE
);