A high-severity vulnerability [3] [6], CVE-2024-28995 [1] [2] [3] [4] [5] [6] [7], is currently being exploited by threat actors in SolarWinds Serv-U file transfer software.
Description
This vulnerability, discovered by security researcher Hussein Daher, allows remote attackers to access sensitive files on the host machine through a directory traversal bug [2] [4]. By sending a GET request to the root (/) with specific arguments [5], attackers can read any arbitrary file on disk [4]. Vulnerable versions include Serv-U 15.4.2 HF 1 and earlier, with a patch available in Serv-U 15.4.2 HF 2 [2]. The Centre for Cybersecurity Belgium (CCB) has confirmed exploitation of the vulnerability and issued a warning to users to patch their systems promptly [3]. GreyNoise researchers have observed in-the-wild exploitation attempts [5], with some attackers experimenting with publicly available proof-of-concept exploit code [5]. Tenable plugins for CVE-2024-28995 can help identify affected systems [7]. Rapid7 researchers have warned that 5,500 to 9,500 instances of SolarWinds Serv-U FTP Server [1], Gateway [1], MFT Server [1], and File Server are at risk of unauthorized file access and compromise [1]. Intrusions involve manual and automated attempts to distribute platform-specific payloads [1], targeting Linux user data and Windows configuration settings for privilege escalation [1]. Organizations are advised to promptly apply the fix issued by SolarWinds to remediate impacted systems and mitigate potential threats posed by threat actors.
Conclusion
Organizations must act swiftly to apply the necessary patches and updates to protect their systems from unauthorized access and compromise. Failure to do so could result in severe consequences, including data breaches and loss of sensitive information. It is crucial for users to stay vigilant and proactive in addressing cybersecurity threats to safeguard their systems and data from malicious actors.
References
[1] https://www.scmagazine.com/brief/attacks-exploiting-solarwinds-serv-u-bug-underway
[2] https://thehackernews.com/2024/06/solarwinds-serv-u-vulnerability-under.html
[3] https://www.techtarget.com/searchsecurity/news/366589400/SolarWinds-Serv-U-vulnerability-under-attack
[4] https://vulners.com/thn/THN:773E1F0E105D8630C72ADAE8469D54EF
[5] https://securityaffairs.com/164806/hacking/solarwinds-serv-u-cve-2024-28995-exploit.html
[6] https://www.heise.de/en/news/Patch-now-Attackers-attack-file-transfer-server-SolwarWinds-Serv-U-9772875.html
[7] https://www.tenable.com/blog/cve-2024-28995-solarwinds-serv-u-path-directory-traversal-vulnerability-exploited-in-the-wild