SolarWinds Issues Patches in Wake of Zero-Day AttacksFlaw in Serv-U File Transfer Software Unconnected to Orion Supply Chain Attack
Attackers have been exploiting a newly discovered zero-day flaw in SolarWinds software, the security vendor has warned.
The vulnerability exists in Serv-U Managed File Transfer Server and Serv-U Secured FTP. SolarWinds has urged all users to immediately install an emergency security update it issued on Friday to mitigate the flaw.
Designated CVE-2021-35211, "the vulnerability exists in the latest Serv-U version 15.2.3 HF1, designed for cross-platform file sharing, released May 5, and all prior versions," SolarWinds says in a security alert issued Friday. "A threat actor who successfully exploited this vulnerability could run arbitrary code with privileges. An attacker could then install programs; view, change, or delete data; or run programs on the affected system."
The company says that a "single threat actor" has been exploiting the flaw to hit a "limited, targeted set of customers," but it declined to identify victim organizations or disclose how many it suspects have been hit.
The vulnerability is separate from the massive supply chain attack discovered last December by cybersecurity firm FireEye, involving SolarWinds' Orion software. In that case, attackers added a backdoor - dubbed "Sunburst" by FireEye - to a legitimate SolarWinds software library that was distributed to 18,000 organizations. Attackers then waged follow-on attacks on a subset of those users, including about nine U.S. government agencies and 100 companies.
SolarWinds says the latest flaw was discovered and reported to it by Microsoft security researchers, who also supplied a proof-of-concept attack. Microsoft notes that attackers can exploit the vulnerability to perform a return-oriented programming attack, enabling them to remotely run code and to bypass some existing defenses, such as code signing. Microsoft says that if an attacker successfully exploits the flaw, they can gain privileged access on a system running Serv-U.
To help determine if any existing Serv-U installations have been compromised, SolarWinds recommends users review their logs for any potentially suspicious connections via Secure Shell Protocol, aka SSH. "If SSH is not enabled in the environment, the vulnerability does not exist," the company says.
SolarWinds says users should also watch for any alerts that the product has encountered. "When exploited, the vulnerability causes the Serv-U product to throw an exception and then intercepts the exception-handling code to run commands," SolarWinds says. "Please note, several reasons exist for exceptions to be thrown, so an exception itself is not necessarily an indicator of attack."
No Links to Sunburst Backdoor
News that attackers have been targeting a freshly discovered flaw in SolarWinds software follows the company having been targeted in one of the largest supply chain attacks in history.
But the latest flaw is not connected to the Sunburst backdoor added by attackers to SolarWinds' Orion network monitoring software (see: Why Didn't Government Detect SolarWinds Attack?).
On April 15, the Biden administration accused the Russian Foreign Intelligence Service, aka the SVR, of conducting the SolarWinds supply chain attack as well as interfering in the 2020 U.S. elections. The Russian government denied having any involvement in any such attacks. The White House subsequently imposed sanctions targeting the Russian government (see: US Sanctions Russia Over SolarWinds Attack, Election Meddling).