SolarWinds Serv-U Zero-Day Vulnerability

THE THREAT

SolarWinds announced that a zero-day vulnerability exists in the Serv-U Managed File Transfer Server and Serv-U Secured FTP products and is under active exploitation by at least one threat actor group. The vulnerability is tracked as CVE-2021-35211; it is categorized as a Remote Code Execution (RCE) vulnerability, and exploitation may allow a threat actor to run arbitrary code with privileges.

SolarWinds released a hotfix to remediate the vulnerability in both Serv-U Managed File Transfer Server and Serv-U Secured FTP. Organizations are strongly recommended to apply the hotfix as soon as possible as exploitation is ongoing.

What we’re doing about it

• Known IPs related real world attacks have been blocked via esNETWORK
• Indicator sweeps have been performed for all esENDPOINT and esLOG customers
  • Any impacted organizations will be notified directly
• MVS will automatically add the relevant plugins for these vulnerabilities once details are made available
• eSentire security teams are tracking this threat for additional details and detection opportunities

What you should do about it

• After performing a business impact review, apply the relevant SolarWinds hotfix (15.2.3 hotfix (HF) 2)
• If patching is not possible, restrict access to the appliance to trusted hosts
  • If SSH is not enabled in the environment, the vulnerability does not exist

Additional information

CVE-2021-35211 exists in Serv-U version 15.2.3 HF1 released May 5, 2021 and all prior Serv-U versions. Serv-U Managed File Transfer Server and Serv-U Secured FTP are the only impacted SolarWinds products.

SolarWinds was notified of the zero-day vulnerability by Microsoft. According to SolarWinds, “…vulnerability exploit involves a limited, targeted set of customers and a single threat actor”. No additional details on the attacks exploiting this vulnerability are publicly available at the time of writing.

References:

[1] https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211