The Dataprise Blog

Solarwinds Serv-U Zero-Day Vulnerability: Dataprise Defense Digest

Jul 12, 2021 BY DATAPRISE

Solarwinds Serv-U Zero-Day Vulnerability: Dataprise Defense Digest

EXECUTIVE SUMMARY

In an advisory released by Solarwinds on July 9th 2021 via their website, they were notified by Microsoft about a critical security vulnerability that affects their Serv-U Managed File Transfer and Serv-U Secure FTP products. This vulnerability (CVE-2021-35211) allows Remote Code Execution (RCE) in the products mentioned above. Solarwinds in this advisory has mentioned that this security vulnerability only affects the Serv-U Managed File Transfer and Serv-U Secure FTP and does not affect any other SolarWinds or N-able products.

Microsoft noted that this vulnerability is being exploited by a single threat actor against a small set of targeted Solarwinds customers. Solarwinds has confirmed that this vulnerability exists in their Serv-U version 15.2.2 HF1 and all the previous versions. Solarwinds has developed and released a hotfix “Serv-U version 15.2.3 hotfix (HF) 2” to resolve this vulnerability, however it is being reported that the Hotfix does not completely resolve the vulnerability or mitigate the exploit.

DETAILED ANALYSIS

An investigation carried out by Microsoft Threat Intelligence Center and Microsoft Offensive Security teams had discovered a Remote Code Execution (RCE) vulnerability in the Solarwinds Serv-U Managed File Transfer and Serv-U Secure FTP products. Microsoft has provided a Proof of Concept (POC) of the exploit. If the threat actor is successful in exploiting this vulnerability, they may be able to gain privileged access to the machine hosting the affected Serv-U products.

Solarwinds suggests performing following steps to determine if your environment has been compromised.

1. Check if SSH enabled for your Serv-U Installation
2. This attack is a Return-Oriented Programming (ROP) attack. When exploited successfully, the vulnerability causes the Serv-U product to throw an exception and then intercepts handling code to run commands.
However, exception itself is not necessarily an indicator of attack.

 

Please collect the “DebugSocketlog.txt” log file.
In the log file “DebugSocketlog.txt” you may see an exception such as :
07] Tue 01Jun21 02:42:58 - EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30;
puchPayLoad = 0x041ec066; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156;
uchPaddingLength = 5

 

Exceptions may be thrown for other reasons so it is recommended to collect the logs for correlation with other security logs to assist with determining if your Solarwinds Serv-U instance has been compromised.

INDICATORS OF COMPROMISE :

Following source IP addresses and connection methods have been reported as potential indicator of attack by
threat actor.
98.176.196.89 (port 22 – SSH)
68.235.178.32 (port 22 – SSH)
208.113.35.58 ( TCP port 443 – HTTPS)

MITIGATION

1. Apply the latest hotfix “Serv-U version 15.2.3 hotfix (HF) 2” released by Solarwinds
2. Disable SSH access to the machines with Serv-U products.
3. Block the IP addresses mentioned in the IOC’s on all perimeter firewalls.

SOURCES

CONTRIBUTING AUTHORS

• Stephen Jones, Senior Director Cybersecurity
• Ayyappa Vyamasani, Cybersecurity Analyst
• Susan Verdin, Cybersecurity Analyst
• Maximo Bredfeldt, Virtual CISO (vCISO)

Information Security
Want the latest IT insights? SUBSCRIBE