ANNOUNCEMENT: Security On-Demand Announces ThreatWatch Response and Remediation Service | SEE RELEASE
Ann Banner (24)

Zero-Day Vulnerability in SolarWinds Serv-U Products

13 July, 2021

Event Summary

The SolarWinds Serv-U product line contains a Zero-Day Vulnerability.  Microsoft discovered the exploits, reported it to SolarWinds and has evidence of exploitation in the wild.  This vulnerability exists in the Serv-U product line, and no other SolarWinds products are affected.  This is not related to the previous supply chain attack that occurred in December 2020.

Details

SolarWinds has released a security advisory on this vulnerability and can be found here. Patches are available through the advisory.

There is evidence that at least one threat actor has been exploiting this on or before July 9th. This affects the SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP, thus affecting the Serv-U Gateway as well.

If successfully exploited, an attacker could remotely execute arbitrary code with privileges on the vulnerable machine, which hosts Serv-U.  This would allow the attacker to install and run programs, and also view, change or delete data.

SolarWinds stated that if SSH is not enabled in the environment, the vulnerability does not exist.  SolarWinds also included that no other products have been affected by this vulnerability.  

Affected Versions:

Serv-U version 15.2.3 HF1 (released May 5) and all prior versions of the Serv-U product line.

 

Recommendations

SolarWinds has issued a hotfix patch to mitigate the attacks while they work on a permanent solution.

Patches are provided through their customer portal located here.

Provided Upgrade Path:

Serv-U version 15.2.3 HF1 – Apply hotfix (HF) 2

Serv-U version 15.2.3  – Apply version 15.2.3 HF1 then apply HF2

Serv-U versions prior to 15.2.3 – upgrade to version 15.2.3, apply HF1 and then apply HF2.

If patching is not an immediate option, disabling SSH should prevent exploitation until patching can be completed.

 

SOD Actions

The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates.  SOD is not affected by this vulnerability.  If you have any questions about this alert, please contact your Security On-Demand Customer Success Manager.

 

Resources

CVE-2021-35211

SolarWinds Advisory – Serv-U Remote Memory Escape Vulnerability

SolarWinds Customer Portal – Hot Fixes available

Bleeping Computer – SolarWinds Serv-U Vulnerability

arsTechnica – SolarWinds Zero-Day