SolarWinds customers under active attack (again) via RCE bug in file share tool Serv-U
A new SolarWinds vulnerability is being actively expoited in the wild, with hackers targeting a remote code execution (RCE) bug in its Serv-U file transfer products, the beleagured IT infrastructure technology company said — after being tipped off by Microsoft to the targeted attacks.
The bug affects both Serv-U Secured FTP server software and more expensive (from £2,424 per server) Serv-U Managed File Transfer Server products — painfully, designed to ensure “compliance with PCI DSS, HIPAA, FISMA, SOX, and other standards involving securing data in transit.”
“A threat actor who successfully exploited this vulnerability could run arbitrary code with privileges. An attacker could then install programs; view, change, or delete data; or run programs on the affected system” SolarWinds said — releasing a hotfix and saying it doesn’t yet know how many companies have been hit, nor the names of those that were. (It has promised more updates anon…)
The vulnerability — allocated allocated CVE-2021-35211 — affects the Serv-U 15.2.3 HF1 and all prior Serv-U versions. It is a “standard” (if severe RCE) software vulnerability and unrelated to the deeper compromise of SolarWinds’ software in the so-called SUNBURST supply chain attack.
New SolarWinds vulnerability: What to look out for
The company described the new SolarWinds vulnerability in a June 10 advisory (perhaps overlooked by those in Europe glued to the Euros final) as a “Return Oriented Programming (ROP) attack” noting that “when exploited, the vulnerability causes the Serv-U product to throw an exception and then intercepts the exception handling code to run commands.” It only affects those with SSH enabled.
Users should collect the DebugSocketlog.txt log file. If in this file they see an exception, like the following, they may have been a victim: 07] Tue 01Jun21 02:42:58 – EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x041ec066; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5
Follow The Stack on LinkedIn
Exceptions may be thrown for other reasons so please collect the logs to assist with determining your situation. Connections via SSH from the following IP addresses have also been reported as a potential indicator of attack by the threat actor: 18.104.22.168 and 22.214.171.124. Users should also look out for connections via TCP 443 from 126.96.36.199.
Third-party file transfer services a clearly an increasingly attractive target for hackers — who late last year breached third-party file-transfer service Accellion FTA, compromising scores of “big game” customers as a result; Shell, the University of California, and the Reserve Bank of New Zealand all suffered data breaches as a result. The latest Accellion breach victim has been revealed as Morgan Stanley, which only found out it had data stolen a full quarter after it happened, the investment bank admitted on July 2, 2021.