Enterprise IT software vendor unsure of scope of impact
UPDATED SolarWinds has patched a remote code execution (RCE) vulnerability in its Serv-U file transfer products after Microsoft observed exploitation against “a limited, targeted set of customers” by “a single threat actor”.
“A threat actor who successfully exploited this vulnerability could run arbitrary code with privileges,” said SolarWinds. “An attacker could then install programs; view, change, or delete data; or run programs on the affected system.”
Having been alerted to the flaw and hostile exploitation by Microsoft, SolarWinds said it “mobilized to address it quickly”, issuing a hotfix on July 9.
The enterprise IT software vendor said it doesn’t yet “have an estimate of how many customers may be directly affected by the vulnerability”, or the identity of any potentially affected customers.
SolarWinds said the flaw “is completely unrelated to the Sunburst supply chain attack” that unfolded at the tail end of 2020, in which nation-state attackers compromised SolarWinds clients such as Microsoft, FireEye, and US government agencies via vulnerabilities in SolarWinds’ Orion software.
A SolarWinds spokesperson told The Daily Swig: “Microsoft has detected a limited amount of activity associated with this issue. Regardless, we quickly released a patch to help ensure the protection of customer environments.
“It's important to note that this is a software vulnerability like those commonly seen in all software vendors. It is not a new cyberattack.”
Indicators of compromise
The vulnerability exists in all Serv-U versions up to and including 15.2.3 HF1, and has been addressed in Serv-U 15.2.3 HF2.
“We recommend all customers using Serv-U install this fix immediately for the protection of your environment,” said SolarWinds.
SolarWinds has confirmed that no other SolarWinds or N-able (formerly SolarWinds MSP) products are affected by the flaw.
The company has warned Serv-U customers that the throwing of exceptions within their environment could be a sign of compromise – although there are other potential causes – because exploitation takes the form of Return Oriented Programming (ROP) attacks.
Another potential indicator of compromise is “potentially suspicious connections via SSH”.
Customers are safe from attacks exploiting the vulnerability when SSH is disabled, added SolarWinds.
The company also said that “additional details of the vulnerability will be published after giving customers sufficient time to upgrade for the protection of their environments”.
This article was updated on July 13 with the addition of comments from SolarWinds.
DON’T FORGET TO READ Research exposes vulnerabilities in IP camera firmware used by multiple vendors