Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2021.0126
Serv-U Remote Memory Escape Vulnerability
14 July 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Solarwinds Serv-U
Operating System: Windows
Linux variants
Impact/Access: Administrator Compromise -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-35211
Comment: This vulnerability is being exploited in the wild.
OVERVIEW
Solarwinds Serv-U is vulnerable to remote memory escape that could
allow remote arbitrary code to be run with privileges. [1]
IMPACT
Solarwinds states the following about the vulnerability:
"The vulnerability exists in the latest Serv-U version 15.2.3 HF1
released May 5, 2021, and all prior versions. A threat actor who
successfully exploited this vulnerability could run arbitrary code
with privileges. An attacker could then install programs; view,
change, or delete data; or run programs on the affected system."[1]
MITIGATION
Solarwinds urges customers to upgrade and will release further
information about the vulnerability after customers are given
sufficient time to protect their system.
Solarwinds recommends upgrade as per their table from their
advisory[1]:
+----------------+-------------------------------------------------+
|Software Version|Upgrade Paths |
+----------------+-------------------------------------------------+
|Serv-U 15.2.3 |Apply Serv-U 15.2.3 HF2, available in your |
|HF1 |Customer Portal |
+----------------+-------------------------------------------------+
|Serv-U 15.2.3 |Apply Serv-U 15.2.3 HF1, then apply Serv-U |
| |15.2.3 HF2, available in your Customer Portal |
+----------------+-------------------------------------------------+
|All Serv-U |Upgrade to Serv-U 15.2.3, then apply Serv-U |
|versions prior |15.2.3 HF1, then apply Serv-U 15.2.3 HF2, |
|to 15.2.3 |available in your Customer Portal |
+----------------+-------------------------------------------------+
Also it is recommended to read the FAQ section that includes
identifying if your server has been compromised as well as the Microsoft
blog post that carries similar information[2].
"How can I tell if my environment has been compromised?
The following steps are steps you can take to determine if your
environment has been compromised:
1. Is SSH enabled for your Serv-U installation? If SSH is not
enabled in the environment, the vulnerability does not exist.
2. Is your environment throwing exceptions? This attack is a Return
Oriented Programming (ROP) attack. When exploited, the vulnerability
causes the Serv-U product to throw an exception and then intercepts
the exception handling code to run commands. Please note, several
reasons exist for exceptions to be thrown, so an exception itself is
not necessarily an indicator of attack.
Please collect the DebugSocketlog.txt log file, which can be found
in the following locations:
C:\ProgramData\RhinoSoft\Serv-U\DebugSocketlog.txt
C:\ProgramFiles\RhinoSoft\Serv-U\DebugSocketlog.txt
In the log file DebugSocketlog.txt you may see an exception, such
as:
07] Tue 01Jun21 02:42:58 - EXCEPTION: C0000005;
CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x041ec066;
nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156;
uchPaddingLength = 5
Exceptions may be thrown for other reasons so please collect the
logs to assist with determining your situation.
3. Are you seeing potentially suspicious connections via SSH? Look
for connections via SSH from the following IP addresses, which have
been reported as a potential indicator of attack by the threat
actor:
98[.]176[.]196[.]89
68[.]235[.]178[.]32
208[.]113[.]35[.]58
144[.]34[.]179[.]162
97[.]77[.]97[.]58
Other indicators:
hxxp://144[.]34[.]179[.]162/a
C:\Windows\Temp\Serv-u.bat
C:\Windows\Temp\test\current.dmp
4. Are you seeing potentially suspicious activity by Serv-U? Review
your monitoring tools and/or EDR platforms for Serv-U.exe spawning
anomalous processes, such as:
o mshta.exe
o powershell.exe
o cmd.exe (or conhost.exe then spawning cmd.exe) with any of the
following in the command line:
? whoami
? dir
? ./Client/Common
? .\Client\Common
? type [a file path] > "C:\ProgramData\RhinoSoft\Serv-U\Users\
Global Users\[file name].Archive"
o Any process with the following in the command line:
? C:\Windows\Temp\
o The addition of any unrecognized Global users to Serv-U. This
can be checked in the users tab of the Serv-U Management
Console, as shown below. It can also be checked by looking for
recently created files in C:\ProgramData\RhinoSoft\Serv-U\Users\
Global Users, which appears to store the Global users
information.
Serv-U Management Console
If you observe this activity, investigate these processes further,
and any traffic originating from the Serv-U box. Please contact
SolarWinds Customer Support with this information, and we will
escalate for investigation."[1]
REFERENCES
[1] Serv-U Remote Memory Escape Vulnerability CVE-2021-35211
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211
[2] Microsoft discovers threat actor targeting SolarWinds Serv-U
software with 0-day exploit
https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYO5CnONLKJtyKPYoAQinFw//eLq781zHjAP+2pYrJCCf2XPZNXfFzcqW
JjczrLlFXyhOIz2KMRRVRH7rmfFlL78YV+cPdkOi/Qb0yr64ISf/JX2P6aBd7qPr
xvv7lsYD/iHBWx6eZxu6K02heCnIIs3zuolmxXqhOD3TVLGjpWBex4oDGxCUP3h0
bpXtoSVlUOAq93QhSwCnvlk12BTapIXKXU2MyKuK9WCwBuJY5VO45JojOILIwhIV
/9mqmiJfYE/gT/+seVBnx/mKMbqH4H1HmxRntlrxuYyHJMMolf15Kkk6pd+BIC6u
NvanlMlgWbHuLyBQF/Rca+Hu8OOFk+3i+LOq4c6Pfp8D1uUMPt74vS5Qqnf0o1CJ
kColV+TKOu4EtkBOvt4JjXyvB2a7FUYjESoD5cycmpGuRP6NvbMPWJsaabklQ7bd
gDbk4brXmdJVkF9MhwruYCvnOqs28TGDc3tj4eOfIbdUhuRYe+fLBbYhsEi1h6x9
fh4uxmC4sOab+4g/Sur7T3SIkzUA8AqRLKUWfqYXbl8vYdPwdwy2DP4rFeeNRoxk
M0eSpI5OKwXiVXUJvniNZxTjyl4s0bji5OlbVuvkzR0Zrs2mpw+VTAdTnFyWAFnB
0lWPrWQurYYnf9gWibbehtW0xf4c4Ue5vvg7U8HiVqgvsfkfS5jOvMUfarUNyweh
b1rUtZ0nE1s=
=gJLQ
-----END PGP SIGNATURE-----