SolarWinds issues fix for RCE vulnerability in Serv-U products amid ‘targeted’ attacks

Adam Bannister 13 July 2021 at 12:24 UTC

Enterprise IT software vendor unsure of scope of impact

SolarWinds has patched a remote code execution (RCE) vulnerability in its Serv-U file transfer products after Microsoft observed exploitation against “a limited, targeted set of customers” by “a single threat actor”.

The remote memory escape flaw (CVE-2021-35211) affects both the Serv-U Managed File Transfer Server and Serv-U Secured File Transfer Protocol, according to a security advisory issued by SolarWinds.

“A threat actor who successfully exploited this vulnerability could run arbitrary code with privileges,” said SolarWinds. “An attacker could then install programs; view, change, or delete data; or run programs on the affected system.”

Catch up on the latest cyber-attack news and analysis

Having been alerted to the flaw and hostile exploitation by Microsoft, SolarWinds said it “mobilized to address it quickly”, issuing a hotfix on July 9.

The enterprise IT software vendor said it doesn’t yet “have an estimate of how many customers may be directly affected by the vulnerability”, or the identity of any potentially affected customers.

SolarWinds said the flaw “is completely unrelated to the Sunburst supply chain attack” that unfolded at the tail end of 2020, in which nation-state attackers compromised SolarWinds clients such as Microsoft, FireEye, and US government agencies via vulnerabilities in SolarWinds’ Orion software.

Indicators of compromise

The vulnerability exists in all Serv-U versions up to and including 15.2.3 HF1, and has been addressed in Serv-U 15.2.3 HF2.

“We recommend all customers using Serv-U install this fix immediately for the protection of your environment,” said SolarWinds.

RECOMMENDED Eight arrests made as Eurojust dismantles €2 million e-commerce fraud operation

SolarWinds has confirmed that no other SolarWinds or N-able (formerly SolarWinds MSP) products are affected by the flaw.

The company has warned Serv-U customers that the throwing of exceptions within their environment could be a sign of compromise – although there are other potential causes – because exploitation takes the form of Return Oriented Programming (ROP) attacks.

Another potential indicator of compromise is “potentially suspicious connections via SSH”.

Customers are safe from attacks exploiting the vulnerability when SSH is disabled, added SolarWinds.

The company also said that “additional details of the vulnerability will be published after giving customers sufficient time to upgrade for the protection of their environments”.

The Daily Swig has put additional queries to SolarWinds, including one related to the scope of impact. We will update this article should we receive a response.

DON’T FORGET TO READ Research exposes vulnerabilities in IP camera firmware used by multiple vendors