CyberWatch

Vulnerability in SolarWinds Managed File Transfer Server Actively Exploited

By

Matthew Fagan, VM Patch Analyst and Jarin Graff, VM Intern

By

Access Point Consulting

CVE-2024-28995

On June 5 of this year, SolarWinds released an update for a zero-day vulnerability for their Serv-U Managed File Transfer Server. The vulnerability is classified as a Local File Disclosure Directory Transversal vulnerability, which means attackers can exploit a path traversal issue. This is exploited by manipulating URL parameters in HTTP requests. Those HTTP requests bypass the directory checks, don’t require any authentication, and allow the attacker to access restricted files on the server. This vulnerability is actively exploited and spreading among real-world computers and can become a critical issue for companies that don’t apply the provided hotfix.

GreyNoise Labs setup two honeypots, that have been running for the last 3 months, are designed to simulate this vulnerability and catch attackers trying to exploit it. This tactic allowed them to oversee and study any attempt at exploitation with in the honeypots. They succeeded in capturing attackers’ payloads and the types of files being targeted.  The exploits observed and other attempt information can be found here.

Impact

This vulnerability can be exploited easily and has the potential to cause data leaks or compromise critical system files. It requires no authentication and is completed with a simple HTTP request directed to the vulnerable server. The vulnerability could impact data confidentiality and on worse cases even device integrity if the server is breached as a result.

Affected Software

SolarWinds Serv-U 15.4.2 HF 1 and previous versions for both Windows and Linux OS. This includes both FTP Severs and MFT Servers

Remediation   

SolarWinds has released a hotfix specifically for this vulnerability that requires a technician or engineer to apply as it is a manual installation on the server. The hotfix does require some preliminary analysis to determine if your server has the default configurations, if not you may have to adjust the hotfix steps to work for your specific server.

An important step to mention during the installation is backing up the necessary files involved in the hotfix, otherwise if an error occurs you won’t be able to revert the changes easily. Otherwise, the installation steps provided by SolarWinds is straight forwards and walks you through the entire process.

You can find the installation steps for the hotfix here.

Recommendations    

Patch and follow remediation guidelines: It is recommended that everyone who uses this SolarWinds service follow the recommended guidelines to apply the hotfix to your Serv-U servers.

Assess Risk: This vulnerability is easily exploitable with little effort from the attackers and can cause significant data leaks and potentially more damage if left untreated.

Implement Firewall Rules: This vulnerability requires no user interaction and doesn’t even need authentication when requesting files using the HTTP requests. So, if using the hotfix isn’t a viable option right away, consider implementing web application firewalls/adjust rules to block path traversal attempts from unexpected sources.

Associated Bulletins

https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28995

https://www.labs.greynoise.io/grimoire/2024-06-solarwinds-serv-u/

https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-4-2-Hotfix-2-Release-Notes

Resources

Trending Articles & Security Reports

Resources

CyberWatch

November 22, 2024

Patch Updates, New Malware Threats, and the Ongoing Supply Chain Battle

On this episode of the CyberWatch podcast, there are updates to software across the application and OS spectrum. New malicious campaigns are threatening victims of all sizes, and researchers have performed dissections on malware to give defenders new clues about just what it is they're fighting. All this today, in CyberWatch.

Find out more
October 25, 2024

Ransomware, Supply Chain Attacks, and Nation-State Threats

CyberWatch, by Access Point Consulting, is your weekly source for emerging cybersecurity news, regulatory updates, and threat intelligence. Backed by experts in security consulting, regulatory compliance, and security operations, Access Point enables you to manage cyber risks, respond to incidents, and drive innovation in your company. Read here or on our website; listen on Spotify or Apple Podcasts; or watch on YouTube.website; listen on Spotify or Apple Podcasts; or watch on YouTube. .

Find out more
October 7, 2024

VINs and Losses: How Hackers Take Kias for a Ride

In the age of smart cars and connected devices, convenience often comes with hidden risks. A recently discovered critical vulnerability in Kia vehicles serves as a stark reminder of how our increasingly digital world is making cars new targets for cyberattacks. This vulnerability allowed hackers to remotely control various vehicle functions—using nothing more than a car's license plate number. It highlights the growing threat of cyberattacks on connected cars and the importance of cybersecurity in the automotive industry.

Find out more