By security practitioners, for security practitioners novacoast federal | Apex Program | novacoast | about innovate
By security practitioners, for security practitioners

New zero-day vulnerability in SolarWinds FTP products

July 12, 2021, SolarWinds disclosed that its Serv-U Managed File Transfer and Serv-U Secure FTP products are vulnerable to a new zero-day vulnerability (CVE-2021-35211) after Microsoft provided them with proof-of-concept code. A Chinese-based group designated as “DEV-0322” by Microsoft are responsible.

While Microsoft has stated that only a limited number of customers are impacted, SolarWinds does not have an estimate of the exact numbers and was not aware of the identity of affected customers.

At this time, only customers utilizing Serv-U are susceptible to the vulnerability.

What is the nature of the vulnerability?

When the Serv-U SSH is exposed to the internet, due to accessible file folders, it is possible for an attacker utilizing this vulnerability to execute arbitrary code with privileges, including manipulating sensitive data and installing programs.

What’s at risk?

With the folder being accessible and susceptible to outside access, the vulnerability effectively leaves every computer hosting an unpatched Serv-U system completely open to exploitation by a threat actor. While the current targets and the threat actor are essentially unknown, this vulnerability presents a glaring dangerous risk to any network utilizing Serv-U applications.

Affected systems/versions

Serv-U 15.2.3 HF1 and all prior Serv-U versions are affected.

What can I do to protect against this vulnerability?

Apply the Serv-U 15.2.3 HF2 hotfix as soon as possible to patch the vulnerability.

The recommended process from SolarWinds is listed below.

Software VersionUpgrade Paths
Serv-U 15.2.3 HF1Apply Serv-U 15.2.3 HF2, available in your Customer Portal
Serv-U 15.2.3Apply Serv-U 15.2.3 HF1, then apply Serv-U 15.2.3 HF2, available in your Customer Portal
All Serv-U versions prior to 15.2.3Upgrade to Serv-U 15.2.3, then apply Serv-U 15.2.3 HF1, then apply Serv-U 15.2.3 HF2, available in your Customer Portal

What if I can’t patch immediately?

According to SolarWinds, disabling SSH for Serv-U will mitigate the effect of the vulnerability.

Resources

SolarWinds security advisory:
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211

HackerNews’s article on CVE-2021-35211
https://thehackernews.com/2021/07/a-new-critical-solarwinds-zero-day.html

The Record’s article on the vulnerability
https://therecord.media/microsoft-discovers-a-solarwinds-zero-day-exploited-in-the-wild/

ThreatPost’s article on CVE-2021-35211
https://threatpost.com/solarwinds-hotfix-zero-day-active-attack/167704/

Arstechnica’s article on the vulnerability
https://arstechnica.com/gadgets/2021/07/microsoft-says-hackers-in-china-exploited-critical-solarwinds-0-day/

JL

Previous Post

Microsoft has completed their investigation and released out-of-band updates for PrintNightmare

Next Post

Mitigations for the PetitPotam NTLM attack relay vulnerability have been published

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.