SolarWinds released updates for their Serv-U Managed File Transfer and Serv-U Secure FTP tools this weekend after they were notified of a vulnerability by Microsoft. 

In an advisory sent out on Friday and updated on Saturday, SolarWinds said Microsoft “reported to SolarWinds that they had discovered a remote code execution vulnerability in the SolarWinds Serv-U product.” SolarWinds added that the Serv-U Gateway is a component of the Serv-U Managed File Transfer and Serv-U Secure FTP tools and is not a separate product. 

The vulnerability can be found in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. Microsoft provided the company with a proof of concept of the exploit and said that at least one threat actor has already used it.  

“A threat actor who successfully exploited this vulnerability could run arbitrary code with privileges. An attacker could then install programs; view, change, or delete data; or run programs on the affected system,” the advisory said.

“Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability. SolarWinds is unaware of the identity of the potentially affected customers.” 

A hotfix — Serv-U version 15.2.3 hotfix (HF) 2 — has been developed and released. 

SolarWinds said customers of the product should log into their Customer Portals to access updates. 

For those who are not on active maintenance and currently using a Serv-U product, the company said it was offering customer service help. 

To check if you have been compromised through this vulnerability, SolarWinds listed a number of suggestions and questions administrators should ask. 

“Is your environment throwing exceptions? This attack is a Return Oriented Programming (ROP) attack. When exploited, the vulnerability causes the Serv-U product to throw an exception and then intercepts the exception handling code to run commands. Please note, several reasons exist for exceptions to be thrown, so an exception itself is not necessarily an indicator of attack,” SolarWinds said. 

“Please collect the DebugSocketlog.txt log file. In the log file DebugSocketlog.txt you may see an exception, such as: 07] Tue 01Jun21 02:42:58 – EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x041ec066; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5,” the company added, noting that exceptions “may be thrown for other reasons so please collect the logs to assist with determining your situation.”

SolarWinds added that administrators should look for “connections via SSH from the following IP addresses, which have been reported as a potential indicator of attack by the threat actor: 98.176.196.89 68.235.178.32 or, look for connections via TCP 443 from the following IP address: 208.113.35.58.”

SolarWinds vulnerabilities have been targeted repeatedly over the last year and the company drew headlines in December when Russian government hackers compromised their network and deployed malicious SolarWinds Orion updates to clients that contained a backdoor called Sunburst. 

In March, it was revealed that Chinese government hackers launched another attack on a SolarWinds server. 



Source link