IT administrators with systems using SolarWinds’ Serv-U Managed File Transfer and Serv-U Secure FTP are being urged to install a hotfix to fix a serious vulnerability.
In a security advisory issued over the weekend the company said the bug could allow an attacker to run arbitrary code with privileges, install malicious programs, and view, change, or delete data.
Admins who can’t install these updates should see the SolarWinds’ FAQ for information on how to help protect their system from this vulnerability.
The vulnerability was discovered by Microsoft, which said it found evidence of “limited, targeted customer impact.” It also provided a proof of concept of the exploit.
SolarWinds said it does not currently have an estimate of how many customers may be directly affected by the vulnerability. The company added that the vulnerability in these two applications don’t affect any of SolarWinds’ other products.
This follows the discovery of vulnerabilities late last year in a similar file transfer utility, Accellion’s FTA application. These vulnerabilities have led to a number of high-profile data thefts that continue to be revealed by organizations that either were hit before patches were released or didn’t patch fast enough.
SolarWinds’ Serv-U Managed File Transfer is file transfer protocol server software that offers centralized file transfer management and automation using FTP, FTPS, SFTP and HTTP/S over IPv4 and IPv6 networks. The Serv-U File Transfer Protocol Server is for those needing only file transfer using FTP and FTPS.
Active maintenance SolarWinds customer of the Serv-U product, should log into their Customer Portal to access their updates. This update is expected to take only a few minutes to implement.
For those who are not on active maintenance and currently using a Serv-U product, SolarWinds’ Customer Success team will answer questions. Staff should open a customer service ticket with the subject “Serv-U Assistance.”
One sign of compromise is potentially suspicious SSH connections from three IP addresses. SolarWinds added that if SSH isn’t enabled in an organization’s environment the vulnerability does not exist.
“This attack is a Return Oriented Programming (ROP) attack,” it said. “When exploited, the vulnerability causes the Serv-U product to throw an exception and then intercepts the exception handling code to run commands. Please note, several reasons exist for exceptions to be thrown, so an exception itself is not necessarily an indicator of attack.”
The company stresses this vulnerability is unrelated to the infamous Sunburst supply chain attack though which an attacker was able to compromise the update mechanism for the Orion IT management platform.