SolarWinds Attack: Active Exploits Of Serv-U Vulnerability

A significant vulnerability in SolarWinds‘ Serv-U file transfer software has recently been patched, but not before it was actively exploited by cybercriminals. The vulnerability, identified as CVE-2024-28995, holds a CVSS score of 8.6, indicating its high severity. This SolarWinds attack, a directory traversal bug, allows attackers to access sensitive files on the host machine, potentially leading to severe security breaches. Let’s have a look at the in-depth solarwinds attack analysis to understand the impact and prevent future breaches.

Affected Versions and Patch Details

The flaw affects all versions of Serv-U software up to and including Serv-U 15.4.2 HF 1. SolarWinds has addressed this issue in their latest release, Serv-U 15.4.2 HF 2 (15.4.2.157), which became available earlier this month. Users of the following products are particularly vulnerable:

• Serv-U FTP Server 15.4
• Serv-U Gateway 15.4
• Serv-U MFT Server 15.4
• Serv-U File Server 15.4

SolarWinds Attack – Discovery and Exploitation

Hussein Daher, a security researcher at Web Immunify, is credited with discovering and reporting the high-severity flaw. Following the public disclosure, detailed technical information and a proof-of-concept (PoC) exploit were released, enabling a broader range of attackers to exploit this vulnerability. Cybersecurity firm Rapid7 has described the vulnerability as easy to exploit, allowing external unauthenticated attackers to read any file on the disk, provided they know the file path and the file is not locked.

Impact and Threat Landscape

According to Rapid7, high-severity information disclosure issues like CVE-2024-28995 are often used in “smash-and-grab” attacks. In these solarwinds hackers attacks, adversaries quickly exfiltrate data from file transfer solutions to extort victims. File transfer products have been a frequent target for various adversaries, including ransomware groups, over the past several years.

Threat intelligence firm GreyNoise has reported that attackers have already started leveraging the solarwinds attack malware. Opportunistic attacks have been observed against GreyNoise’s honeypot servers, with attackers attempting to access sensitive files such as /etc/passwd. Some of these attacks have been traced back to sources in China.

Solarwinds Attack Summary

Given the history of vulnerabilities in Serv-U software being exploited by threat actors, it is crucial for users to apply the latest updates immediately. The availability of publicly accessible PoCs significantly lowers the barrier for malicious actors, making it easier for them to exploit this flaw.

Naomi Buckwalter, director of product security at Contrast Security, emphasized the potential for this vulnerability to serve as a gateway for further attacks. By gaining access to sensitive information such as credentials and system files, attackers can use this data to launch more extensive attacks, a method known as “chaining.” This could result in a broader compromise, affecting other systems and applications.

Conclusion

The recent exploitation of the CVE-2024-28995 vulnerability in SolarWinds’ Serv-U software underscores the critical need for timely patching and robust security measures. As cyber threats continue to evolve, maintaining up-to-date systems and applying security patches promptly is essential to safeguarding sensitive information and ensuring business continuity.

Users of Serv-U products should prioritize updating to the latest version to mitigate potential risks and protect against malicious attacks. Stay informed with the latest solarwinds attack news and protect your systems from emerging threats.

The sources for this piece include articles in The Hacker News and TechTarget.