Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2021.0126 Serv-U Remote Memory Escape Vulnerability 14 July 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Solarwinds Serv-U Operating System: Windows Linux variants Impact/Access: Administrator Compromise -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-35211 Comment: This vulnerability is being exploited in the wild. OVERVIEW Solarwinds Serv-U is vulnerable to remote memory escape that could allow remote arbitrary code to be run with privileges. [1] IMPACT Solarwinds states the following about the vulnerability: "The vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. A threat actor who successfully exploited this vulnerability could run arbitrary code with privileges. An attacker could then install programs; view, change, or delete data; or run programs on the affected system."[1] MITIGATION Solarwinds urges customers to upgrade and will release further information about the vulnerability after customers are given sufficient time to protect their system. Solarwinds recommends upgrade as per their table from their advisory[1]: +----------------+-------------------------------------------------+ |Software Version|Upgrade Paths | +----------------+-------------------------------------------------+ |Serv-U 15.2.3 |Apply Serv-U 15.2.3 HF2, available in your | |HF1 |Customer Portal | +----------------+-------------------------------------------------+ |Serv-U 15.2.3 |Apply Serv-U 15.2.3 HF1, then apply Serv-U | | |15.2.3 HF2, available in your Customer Portal | +----------------+-------------------------------------------------+ |All Serv-U |Upgrade to Serv-U 15.2.3, then apply Serv-U | |versions prior |15.2.3 HF1, then apply Serv-U 15.2.3 HF2, | |to 15.2.3 |available in your Customer Portal | +----------------+-------------------------------------------------+ Also it is recommended to read the FAQ section that includes identifying if your server has been compromised as well as the Microsoft blog post that carries similar information[2]. "How can I tell if my environment has been compromised? The following steps are steps you can take to determine if your environment has been compromised: 1. Is SSH enabled for your Serv-U installation? If SSH is not enabled in the environment, the vulnerability does not exist. 2. Is your environment throwing exceptions? This attack is a Return Oriented Programming (ROP) attack. When exploited, the vulnerability causes the Serv-U product to throw an exception and then intercepts the exception handling code to run commands. Please note, several reasons exist for exceptions to be thrown, so an exception itself is not necessarily an indicator of attack. Please collect the DebugSocketlog.txt log file, which can be found in the following locations: C:\ProgramData\RhinoSoft\Serv-U\DebugSocketlog.txt C:\ProgramFiles\RhinoSoft\Serv-U\DebugSocketlog.txt In the log file DebugSocketlog.txt you may see an exception, such as: 07] Tue 01Jun21 02:42:58 - EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x041ec066; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5 Exceptions may be thrown for other reasons so please collect the logs to assist with determining your situation. 3. Are you seeing potentially suspicious connections via SSH? Look for connections via SSH from the following IP addresses, which have been reported as a potential indicator of attack by the threat actor: 98[.]176[.]196[.]89 68[.]235[.]178[.]32 208[.]113[.]35[.]58 144[.]34[.]179[.]162 97[.]77[.]97[.]58 Other indicators: hxxp://144[.]34[.]179[.]162/a C:\Windows\Temp\Serv-u.bat C:\Windows\Temp\test\current.dmp 4. Are you seeing potentially suspicious activity by Serv-U? Review your monitoring tools and/or EDR platforms for Serv-U.exe spawning anomalous processes, such as: o mshta.exe o powershell.exe o cmd.exe (or conhost.exe then spawning cmd.exe) with any of the following in the command line: ? whoami ? dir ? ./Client/Common ? .\Client\Common ? type [a file path] > "C:\ProgramData\RhinoSoft\Serv-U\Users\ Global Users\[file name].Archive" o Any process with the following in the command line: ? C:\Windows\Temp\ o The addition of any unrecognized Global users to Serv-U. This can be checked in the users tab of the Serv-U Management Console, as shown below. It can also be checked by looking for recently created files in C:\ProgramData\RhinoSoft\Serv-U\Users\ Global Users, which appears to store the Global users information. Serv-U Management Console If you observe this activity, investigate these processes further, and any traffic originating from the Serv-U box. Please contact SolarWinds Customer Support with this information, and we will escalate for investigation."[1] REFERENCES [1] Serv-U Remote Memory Escape Vulnerability CVE-2021-35211 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211 [2] Microsoft discovers threat actor targeting SolarWinds Serv-U software with 0-day exploit https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYO5CnONLKJtyKPYoAQinFw//eLq781zHjAP+2pYrJCCf2XPZNXfFzcqW JjczrLlFXyhOIz2KMRRVRH7rmfFlL78YV+cPdkOi/Qb0yr64ISf/JX2P6aBd7qPr xvv7lsYD/iHBWx6eZxu6K02heCnIIs3zuolmxXqhOD3TVLGjpWBex4oDGxCUP3h0 bpXtoSVlUOAq93QhSwCnvlk12BTapIXKXU2MyKuK9WCwBuJY5VO45JojOILIwhIV /9mqmiJfYE/gT/+seVBnx/mKMbqH4H1HmxRntlrxuYyHJMMolf15Kkk6pd+BIC6u NvanlMlgWbHuLyBQF/Rca+Hu8OOFk+3i+LOq4c6Pfp8D1uUMPt74vS5Qqnf0o1CJ kColV+TKOu4EtkBOvt4JjXyvB2a7FUYjESoD5cycmpGuRP6NvbMPWJsaabklQ7bd gDbk4brXmdJVkF9MhwruYCvnOqs28TGDc3tj4eOfIbdUhuRYe+fLBbYhsEi1h6x9 fh4uxmC4sOab+4g/Sur7T3SIkzUA8AqRLKUWfqYXbl8vYdPwdwy2DP4rFeeNRoxk M0eSpI5OKwXiVXUJvniNZxTjyl4s0bji5OlbVuvkzR0Zrs2mpw+VTAdTnFyWAFnB 0lWPrWQurYYnf9gWibbehtW0xf4c4Ue5vvg7U8HiVqgvsfkfS5jOvMUfarUNyweh b1rUtZ0nE1s= =gJLQ -----END PGP SIGNATURE-----