SolarWinds Serv-U Remote Code Execution Vulnerability (CVE-2021-35211) Threat Alert

SolarWinds Serv-U Remote Code Execution Vulnerability (CVE-2021-35211) Threat Alert

July 23, 2021 | Jie Ji

Overview

Recently, NSFOCUS CERT, through ongoing monitoring, found that SolarWinds released a security advisory fixing a remote code execution vulnerability (CVE-2021-35211). Microsoft reported to SolarWinds that they had discovered that the vulnerability was exploited in the wild and provided a proof of concept of the exploit. Unauthenticated, remote attackers could exploit this vulnerability to execute arbitrary code with privileges on the affected system. Affected users are advised to take preventive measures as soon as possible.

According to SolarWinds, the vulnerability exists in SSH and is unrelated to the SUNBURST supply chain attack. It only affects Serv-U Managed File Transfer and Serv-U Secure FTP. SSH is enabled by default when the Serv-U Management Console wizard is used to create domains. If SSH is not enabled in the Serv-U environment, the vulnerability does not cause impact.

Reference link: https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211

Scope of Impact

Affected Versions

  • Serv-U < = 15.2.3 HF1

Unaffected Versions

  • Serv-U = 15.2.3 HF2

Security Check

1. Users can check whether SSH is enabled in the Serv-U environment.

SSH is enabled by default when the Serv-U Management Console wizard is used to create domains. If SFTP using SSH is selected, the vulnerability causes impact.

2. Users can check whether the Serv-U environment throws exceptions.

Collect the DebugSocketlog.txt log file and check whether there exists the following exception log:

07] Tue 01Jun21 02:42:58 – EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x041ec066;        nPacketLength = 76; nBytesReceived = 80;   nBytesUncompressed = 156;       uchPaddingLength = 5

3. Users can look for suspicious connections via SSH.

The following IP addresses have been reported by SolarWinds as a potential indicator of attack:

98.176.196.89

68.235.178.32

Mitigation

Official Fix

Currently, SolarWinds has released security updates to fix the preceding vulnerability. Affected users are advised to apply these updates as soon as possible. These updates are available at the following link: https://customerportal.solarwinds.com/.

Affected VersionsUpgrade Paths
Serv-U 15.2.3 HF1Apply Serv-U 15.2.3 HF2, available in your Customer Portal
Serv-U 15.2.3Apply Serv-U 15.2.3 HF1, then apply Serv-U 15.2.3 HF2, available in your Customer Portal
All Serv-U versions prior to 15.2.3Upgrade to Serv-U 15.2.3, then apply Serv-U 15.2.3 HF1, then apply Serv-U 15.2.3 HF2, available in your Customer Portal

For the installation procedure, go to https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-2-3-HotFix-2?language=en_US.

Other Protection Measures

If related users cannot perform upgrade temporarily, they can disable the SSH listener to protect against this vulnerability.

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.