Lucene search

K
thnThe Hacker NewsTHN:8636741FCF3A03B6238D8BAF1D9D00EB
HistoryJul 13, 2021 - 3:58 a.m.

A New Critical SolarWinds Zero-Day Vulnerability Under Active Attack

2021-07-1303:58:00
The Hacker News
thehackernews.com
61

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

SolarWinds vulnerability

SolarWinds, the Texas-based company that became the epicenter of a massive supply chain attack late last year, has issued patches to contain a remote code execution flaw in its Serv-U managed file transfer service.

The fixes, which target Serv-U Managed File Transfer and Serv-U Secure FTP products, arrive after Microsoft notified the IT management and remote monitoring software maker that the flaw was being exploited in the wild. The threat actor behind the exploitation remains unknown as yet, and it isn’t clear exactly how the attack was carried out.

“Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability,” SolarWinds said in an advisory published Friday, adding it’s “unaware of the identity of the potentially affected customers.”

Impacting Serv-U versions 15.2.3 HF1 and before, a successful exploitation of the shortcoming (CVE-2021-35211) could enable an adversary to run arbitrary code on the infected system, including the ability to install malicious programs and view, change, or delete sensitive data.

As indicators of compromise, the company is urging administrators to watch out for potentially suspicious connections via SSH from the IP addresses 98[.]176.196.89 and 68[.]235.178.32, or via TCP 443 from the IP address 208[.]113.35.58. Disabling SSH access on the Serv-U installation also prevents compromise.

The issue has been addressed in Serv-U version 15.2.3 hotfix (HF) 2.

SolarWinds also stressed in its advisory that the vulnerability is “completely unrelated to the SUNBURST supply chain attack” and that it does not affect other products, notably the Orion Platform, which was exploited to drop malware and dig deeper into the targeted networks by suspected Russian hackers to spy on multiple federal agencies and businesses in one of the most serious security breaches in U.S. history.

A string of software supply chain attacks since then has highlighted the fragility of modern networks and the sophistication of threat actors to identify hard-to-find vulnerabilities in widely-used software to conduct espionage and drop ransomware, in which hackers shut down the systems of business and demand payment to allow them to regain control.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

Related for THN:8636741FCF3A03B6238D8BAF1D9D00EB