A Critical Serv-U Vulnerability Exploited in the Wild, Fixed by SolarWinds
Customers Should Patch the Serv-U Remote Code Execution Vulnerability as Soon as Possible.
SolarWinds is urging its customers to patch a Serv-U remote code execution vulnerability that is exploited in the wild by “a single threat actor” in cyberattacks targeting a limited number of customers.
Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability.
To the best of our understanding, no other SolarWinds products have been affected by this vulnerability. [..] SolarWinds is unaware of the identity of the potentially affected customers.
This zero-day vulnerability that is tracked as CVE-2021-35211 is impacting Serv-U Managed File Transfer and Serv-U Secure FTP, by enabling remote threat actors to execute arbitrary code with privileges following successful exploitation.
If SSH is not enabled in the environment, the vulnerability does not exist.
The Serv-U remote code execution vulnerability was discovered by the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Offensive Security Research teams in the latest Serv-U 15.2.3 HF1 released in May 2021.
SolarWinds addressed the Serv-U remote code execution vulnerability with the release of Serv-U version 15.2.3 hotfix (HF) 2.
The researchers at Microsoft reported that all other SolarWinds and N-able products (including the Orion Platform and Orion Platform modules) are not affected by CVE-2021-35211.
SolarWinds released a hotfix Friday, July 9, 2021, and we recommend all customers using Serv-U install this fix immediately for the protection of your environment.
SolarWinds provided on their website additional information on how to find out if your environment was compromised.
SolarWinds was recently notified by Microsoft of a security vulnerability related to Serv-U Managed File Transfer Server and Serv-U Secured FTP and have developed a hotfix to resolve this vulnerability. While Microsoft’s research indicates this vulnerability exploit involves a limited, targeted set of customers and a single threat actor, our joint teams have mobilized to address it quickly.
The vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. A threat actor who successfully exploited this vulnerability could run arbitrary code with privileges. An attacker could then install programs; view, change, or delete data; or run programs on the affected system.
Serv-U version 15.2.3 hotfix (HF) 2 has been released.
The SolarWinds Supply-Chain Attack
As you might remember, in December 2020 the SolarWinds supply chain attack provided hackers with access into as many as 18,000 government entities and Fortune 500 companies, as to at least nine federal agencies and more than 100 companies were exposed to the breach.
The company’s internal systems were affected by trojans and malicious builds were later used to deliver a backdoor tracked as Sunburst to less than 18,000 victims.
Multiple US agencies were breached in the SolarWinds supply-chain attack, including the Department of the Treasury, the National Telecommunications and Information Administration, the Department of State, the National Institutes of Health, the Department of Homeland Security, the Department of Energy, and the National Nuclear Security Administration.