Difenda is issuing this advisory to inform all stakeholders about a high-severity vulnerability in SolarWinds Serv-U file transfer software, tracked as CVE-2024-28995. This vulnerability, which has a CVSS score of 8.6, allows attackers to read sensitive files on affected systems and is being actively exploited in the wild. Therefore, immediate action is required to mitigate potential threats
High-Severity Vulnerability in SolarWinds Serv-U Exploited in the Wild Technical Overview
Vulnerability Description:
- CVE: CVE-2024-28995
- Type: Directory Traversal
- CVSS Score: 8.6 (High Severity)
- Affected Versions: All versions of SolarWinds Serv-U prior to and including 15.4.2 HF 1
Impact:
The directory traversal vulnerability allows unauthenticated, remote attackers to read arbitrary files from the underlying operating system by sending specially crafted requests. This could expose sensitive information such as user data, encrypted passwords, and server logs.
Affected Products:
- Serv-U FTP Server 15.4
- Serv-U Gateway 15.4
- Serv-U MFT Server 15.4
- Serv-U File Server 15.4
Discovery and Exploitation:
Security researcher Hussein Daher of Web Immunify discovered and reported this flaw. Subsequently, following the public disclosure, technical details and a proof-of-concept (PoC) exploit were made available, facilitating exploitation. Moreover, Rapid7 and GreyNoise have confirmed that both automated and manual exploitation attempts are occurring in the wild, with attacks targeting honeypot servers to access files like /etc/passwd.
Threat Analysis:
The vulnerability is considered trivial to exploit, with a low barrier to entry for malicious actors. Additionally, successful exploitation could be used to gain access to sensitive information, which may lead to further attacks through information chaining. Historically, exploits in similar managed file transfer solutions have been linked to ransomware groups, emphasizing the potential for significant data breaches and extortion attempts.
What Our Threat Intelligence Team is Seeing
At Difenda, we have advanced capabilities to detect vulnerabilities such as CVE-2024-28995. Furthermore, our security monitoring systems are equipped to identify exploitation attempts and anomalous activities related to this directory traversal flaw.
What We Suggest for the High-Severity Vulnerability in SolarWinds Serv-U Exploited in the Wild
To mitigate the risk posed by CVE-2024-28995, Difenda recommends the following immediate actions:
- Patch Systems:
- Apply the update to Serv-U version 15.4.2 HF 2 (15.4.2.157) released by SolarWinds to address this vulnerability. Ensure all instances of Serv-U FTP Server, Gateway, MFT Server, and File Server are updated.
- Review and Monitor Systems:
- Conduct thorough reviews of system logs and network traffic for any signs of exploitation attempts. Additionally, pay close attention to unusual file access patterns and unauthorized requests.
- Implement Network Segmentation:
- Isolate systems running Serv-U from critical infrastructure and sensitive data stores. This can help limit the potential impact of any exploitation.
- Enhance Access Controls:
- Restrict access to the Serv-U file transfer software to only trusted IP addresses and use strong, unique credentials.
What Difenda is Doing
Upon detection of any potential vulnerabilities or exploitation attempts, our team promptly informs affected clients and provides detailed guidance on remediation steps. Moreover, we are committed to ensuring our clients’ environments are secure and resilient against emerging threats.
DIFEND WITH CONFIDENCE