Overview
Recently, NSFOCUS CERT, through ongoing monitoring, found that SolarWinds released a security advisory fixing a remote code execution vulnerability (CVE-2021-35211). Microsoft reported to SolarWinds that they had discovered that the vulnerability was exploited in the wild and provided a proof of concept of the exploit. Unauthenticated, remote attackers could exploit this vulnerability to execute arbitrary code with privileges on the affected system. Affected users are advised to take preventive measures as soon as possible.
According to SolarWinds, the vulnerability exists in SSH and is unrelated to the SUNBURST supply chain attack. It only affects Serv-U Managed File Transfer and Serv-U Secure FTP. SSH is enabled by default when the Serv-U Management Console wizard is used to create domains. If SSH is not enabled in the Serv-U environment, the vulnerability does not cause impact.
Reference link: https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211
Scope of Impact
- Serv-U < = 15.2.3 HF1
Unaffected Versions
- Serv-U = 15.2.3 HF2
Security Check
1. Users can check whether SSH is enabled in the Serv-U environment.
SSH is enabled by default when the Serv-U Management Console wizard is used to create domains. If SFTP using SSH is selected, the vulnerability causes impact.
2. Users can check whether the Serv-U environment throws exceptions.
Collect the DebugSocketlog.txt log file and check whether there exists the following exception log:
07] Tue 01Jun21 02:42:58 – EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x041ec066; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5
3. Users can look for suspicious connections via SSH.
The following IP addresses have been reported by SolarWinds as a potential indicator of attack:
98.176.196.89
68.235.178.32
Mitigation
Official Fix
Currently, SolarWinds has released security updates to fix the preceding vulnerability. Affected users are advised to apply these updates as soon as possible. These updates are available at the following link: https://customerportal.solarwinds.com/.
| Affected Versions | Upgrade Paths |
| Serv-U 15.2.3 HF1 | Apply Serv-U 15.2.3 HF2, available in your Customer Portal |
| Serv-U 15.2.3 | Apply Serv-U 15.2.3 HF1, then apply Serv-U 15.2.3 HF2, available in your Customer Portal |
| All Serv-U versions prior to 15.2.3 | Upgrade to Serv-U 15.2.3, then apply Serv-U 15.2.3 HF1, then apply Serv-U 15.2.3 HF2, available in your Customer Portal |
For the installation procedure, go to https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-2-3-HotFix-2?language=en_US.
Other Protection Measures
If related users cannot perform upgrade temporarily, they can disable the SSH listener to protect against this vulnerability.
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
