Vulnerability in SolarWinds Managed File Transfer Server Actively Exploited

CVE-2024-28995

On June 5 of this year, SolarWinds released an update for a zero-day vulnerability for their Serv-U Managed File Transfer Server. The vulnerability is classified as a Local File Disclosure Directory Transversal vulnerability, which means attackers can exploit a path traversal issue. This is exploited by manipulating URL parameters in HTTP requests. Those HTTP requests bypass the directory checks, don’t require any authentication, and allow the attacker to access restricted files on the server. This vulnerability is actively exploited and spreading among real-world computers and can become a critical issue for companies that don’t apply the provided hotfix.

GreyNoise Labs setup two honeypots, that have been running for the last 3 months, are designed to simulate this vulnerability and catch attackers trying to exploit it. This tactic allowed them to oversee and study any attempt at exploitation with in the honeypots. They succeeded in capturing attackers’ payloads and the types of files being targeted.  The exploits observed and other attempt information can be found here.

Impact

This vulnerability can be exploited easily and has the potential to cause data leaks or compromise critical system files. It requires no authentication and is completed with a simple HTTP request directed to the vulnerable server. The vulnerability could impact data confidentiality and on worse cases even device integrity if the server is breached as a result.

Affected Software

SolarWinds Serv-U 15.4.2 HF 1 and previous versions for both Windows and Linux OS. This includes both FTP Severs and MFT Servers

Remediation   

SolarWinds has released a hotfix specifically for this vulnerability that requires a technician or engineer to apply as it is a manual installation on the server. The hotfix does require some preliminary analysis to determine if your server has the default configurations, if not you may have to adjust the hotfix steps to work for your specific server.

An important step to mention during the installation is backing up the necessary files involved in the hotfix, otherwise if an error occurs you won’t be able to revert the changes easily. Otherwise, the installation steps provided by SolarWinds is straight forwards and walks you through the entire process.

You can find the installation steps for the hotfix here.

Recommendations    

Patch and follow remediation guidelines: It is recommended that everyone who uses this SolarWinds service follow the recommended guidelines to apply the hotfix to your Serv-U servers.

Assess Risk: This vulnerability is easily exploitable with little effort from the attackers and can cause significant data leaks and potentially more damage if left untreated.

Implement Firewall Rules: This vulnerability requires no user interaction and doesn’t even need authentication when requesting files using the HTTP requests. So, if using the hotfix isn’t a viable option right away, consider implementing web application firewalls/adjust rules to block path traversal attempts from unexpected sources.

Associated Bulletins

https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28995

https://www.labs.greynoise.io/grimoire/2024-06-solarwinds-serv-u/

https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-4-2-Hotfix-2-Release-Notes

‍