Microsoft warns of new vulnerability in SolarWinds products

In a statement issued late last week, SolarWinds says it has been notified by Microsoft of a zero-day vulnerability related to the Serv-U Managed File Transfer Server and Serv-U Secured FTP products – and, by extension, also to Serv-U Gateway, which is a component of both products. The flaw was exploited by a single threat actor to attack a limited set of customers.

According to the alert, the agent would be able to remotely execute arbitrary code with privileges, being able to install programs and view, change or delete data on vulnerable systems.

SolarWinds said the attacks were uncovered by Microsoft teams, who noticed the attacks being carried out from remote code execution on SolarWinds Serv-U. In addition, Microsoft presented a proof-of-concept of the intrusion along with evidence of the zero-day attacks.

The vulnerability affects the latest Serv-U version 15.2.3 HF1 product, released on 5 May 2021, and all previous versions. A hotfix is now available (the Serv-U 15.2.3 HF2). Please refer to the security updates table below for the update applicable to your system. The company recommends that customers install these updates immediately.

According to SolarWinds, this zero-day attack is unrelated to the Orion case involving the company in late 2020. Tampered updates to SolarWinds’ Orion product started one of the largest supply chain attacks in history, which compromised several private-sector companies, but mainly major US government agencies.

At the time, it was assessed that 18,000 customers downloaded the updates as genuine. Once installed, this opened the door for further attacks and other subsequent potentially criminal activities, such as espionage and theft of state secrets.

How do you know if your environment has been compromised?

According to SolarWinds, the following are steps that can help determine if your environment has been compromised:

1. Is SSH enabled for your Serv-U installation? If SSH is not enabled in the environment, the vulnerability does not exist.
   
   
2. Is your environment throwing exceptions? This attack is a Return Oriented Programming (ROP) attack. When exploited, the vulnerability causes the Serv-U product to throw an exception and then intercepts the exception handling code to run commands.
   
   Please note, several reasons exist for exceptions to be thrown, so an exception itself is not necessarily an indicator of attack.
   Please collect the DebugSocketlog.txt log file.
   In the log file DebugSocketlog.txt you may see an exception, such as:
   
   07] Tue 01Jun21 02:42:58 – EXCEPTION: C0000005;  CSUSSHSocket::
   ProcessReceive(); Type: 30; puchPayLoad = 0x041ec066;  nPacketLength = 76;
   nBytesReceived = 80;  nBytesUncompressed = 156;  uchPaddingLength = 5
   
   Exceptions may be thrown for other reasons so please collect the logs to assist with determining your situation.
   
   
3. Are you seeing potentially suspicious connections via SSH? Look for connections via SSH from the following IP addresses, which have been reported as a potential indicator of attack by the threat actor:
   98.176.196.89
   68.235.178.32
   or, look for connections via TCP 443 from the following IP address: 208.113.35.58