Following Microsoft’s advisory sent out last Friday, Solarwinds has released an update for their Serv-U Managed File Transfer and Serv-U Secure FTP tools on Saturday, patching the vulnerability in question, which has been labelled as CVE-2021-35211.
Microsoft had discovered a remote code execution vulnerability in Solarwinds’ Serv-U gateway. Solarwinds further added that the Serv-U gateway is a component of the Serv-U Managed File Transfer and Serv-U Secure FTP tools.
Microsoft has identified the threat actor that exploited the vulnerability in SolarWinds Serv-U FTP software as Dev-0322, a China-based cybercriminals group.
Customers can log into their Customer Portals to access the updated labelled Serv-U versions 15.2.3 hotfix (HF) 2. The company is also offering customer service help for those currently using a Serv-U product but not on active maintenance.
Have you been compromised?
Solarwinds has also listed several suggestions and questions the admin should go through to check if they’ve been compromised through this vulnerability.
The attacks are Return Oriented Programming (ROP) attacks in nature. When exploited, the vulnerability can cause Serv-U products to throw an exception and starts intercepting exception handling code to run commands. However, it’s important to remember that exceptions can be thrown for several reasons meaning it’s not necessarily an indicator of attack.
The advisory also states that users should check their DebugSocketLog.txt file for logs resembling this:
07] Tue 01Jun21 02:42:58 – EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x041ec066; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5
Another potential sign of a breach could be potentially suspicious connections via SSH. The following IP addresses have been reported as a potential indicator of attack.
Alternatively, if you see a TCP connection via port 443 from 188.8.131.52, that’s also a pretty good indicator of attack.
The company has also explicitly stated that this vulnerability isn’t related to the SUNBURST supply chain attack. According to their advisory, “Software vulnerabilities are quite common, range in severity levels, and are routinely resolved by software vendors as part of their ongoing maintenance release schedules.”
Update (14/07/2021): The article was updated with Microsoft Threat Intelligence Center's findings identifying the cybercriminals behind Solarwinds Serv-U zero-day exploit.