Skip to content

SolarWinds releases patch for actively exploited zero-day vulnerability

Following Microsoft’s advisory sent out last Friday, Solarwinds has released an update for their Serv-U Managed File Transfer and Serv-U Secure FTP tools on Saturday, patching the vulnerability in question, which has been labelled as CVE-2021-35211.

Microsoft had discovered a remote code execution vulnerability in Solarwinds’ Serv-U gateway. Solarwinds further added that the Serv-U gateway is a component of the Serv-U Managed File Transfer and Serv-U Secure FTP tools. 

Microsoft has identified the threat actor that exploited the vulnerability in SolarWinds Serv-U FTP software as Dev-0322, a China-based cybercriminals group.

Customers can log into their Customer Portals to access the updated labelled Serv-U versions 15.2.3 hotfix (HF) 2. The company is also offering customer service help for those currently using a Serv-U product but not on active maintenance. 

Microsoft first discovered the RCE vulnerability.

In the News: CNA reports data leak affecting nearly 75,000 individuals


Have you been compromised?

Solarwinds has also listed several suggestions and questions the admin should go through to check if they’ve been compromised through this vulnerability. 

The attacks are Return Oriented Programming (ROP) attacks in nature. When exploited, the vulnerability can cause Serv-U products to throw an exception and starts intercepting exception handling code to run commands. However, it’s important to remember that exceptions can be thrown for several reasons meaning it’s not necessarily an indicator of attack. 

The advisory also states that users should check their DebugSocketLog.txt file for logs resembling this:

07] Tue 01Jun21 02:42:58 – EXCEPTION: C0000005;  CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x041ec066;  nPacketLength = 76; nBytesReceived = 80;  nBytesUncompressed = 156;  uchPaddingLength = 5

Another potential sign of a breach could be potentially suspicious connections via SSH. The following IP addresses have been reported as a potential indicator of attack.

  • 98.176.196.89
  • 68.235.178.32

Alternatively, if you see a TCP connection via port 443 from 208.113.35.58, that’s also a pretty good indicator of attack.

The company has also explicitly stated that this vulnerability isn’t related to the SUNBURST supply chain attack. According to their advisory, “Software vulnerabilities are quite common, range in severity levels, and are routinely resolved by software vendors as part of their ongoing maintenance release schedules.”

Update (14/07/2021): The article was updated with Microsoft Threat Intelligence Center's findings identifying the cybercriminals behind Solarwinds Serv-U zero-day exploit.

In the News: FIFA 22: Pre-orders, Price, Release Date and Features

Hello There!

If you like what you read, please support our publication by sharing it with your friends, family and colleagues. If you're running an Adblocker, we humbly request you to whitelist us.

Share on facebook
Share on whatsapp
Share on twitter
Share on reddit
Share on linkedin
Share on pocket
Share on pinterest
Share on telegram
Share on stumbleupon
Share on digg
Share on tumblr
Share on email
Share on skype
Share on xing
Share on vk
Share on odnoklassniki
Share on mix








>