July 12, 2021, SolarWinds disclosed that its Serv-U Managed File Transfer and Serv-U Secure FTP products are vulnerable to a new zero-day vulnerability (CVE-2021-35211) after Microsoft provided them with proof-of-concept code. A Chinese-based group designated as “DEV-0322” by Microsoft are responsible.
While Microsoft has stated that only a limited number of customers are impacted, SolarWinds does not have an estimate of the exact numbers and was not aware of the identity of affected customers.
At this time, only customers utilizing Serv-U are susceptible to the vulnerability.
What is the nature of the vulnerability?
When the Serv-U SSH is exposed to the internet, due to accessible file folders, it is possible for an attacker utilizing this vulnerability to execute arbitrary code with privileges, including manipulating sensitive data and installing programs.
What’s at risk?
With the folder being accessible and susceptible to outside access, the vulnerability effectively leaves every computer hosting an unpatched Serv-U system completely open to exploitation by a threat actor. While the current targets and the threat actor are essentially unknown, this vulnerability presents a glaring dangerous risk to any network utilizing Serv-U applications.
Serv-U 15.2.3 HF1 and all prior Serv-U versions are affected.
What can I do to protect against this vulnerability?
Apply the Serv-U 15.2.3 HF2 hotfix as soon as possible to patch the vulnerability.
The recommended process from SolarWinds is listed below.
|Software Version||Upgrade Paths|
|Serv-U 15.2.3 HF1||Apply Serv-U 15.2.3 HF2, available in your Customer Portal|
|Serv-U 15.2.3||Apply Serv-U 15.2.3 HF1, then apply Serv-U 15.2.3 HF2, available in your Customer Portal|
|All Serv-U versions prior to 15.2.3||Upgrade to Serv-U 15.2.3, then apply Serv-U 15.2.3 HF1, then apply Serv-U 15.2.3 HF2, available in your Customer Portal|
What if I can’t patch immediately?
According to SolarWinds, disabling SSH for Serv-U will mitigate the effect of the vulnerability.
SolarWinds security advisory:
HackerNews’s article on CVE-2021-35211
The Record’s article on the vulnerability
ThreatPost’s article on CVE-2021-35211
Arstechnica’s article on the vulnerability