Hackers Actively Eyeing SolarWinds Serv-U Directory Traversal Bug

• Earlier in June, SolarWinds released a fix for a high-severity directory traversal security bug in its Serv-U file transfer software.
• Researchers discovered that the 8.6-rated vulnerability is being actively exploited in the wild.

A patched directory traversal vulnerability still threatens between 5,500 and 9,500 systems. According to researchers, CVE-2024-28995 is a “trivially exploitable” security bug in the SolarWinds Serv-U file transfer tool with a CVSS rating of 8.6.

The CVE-2024-28995 allows the attacker to read sensitive files on the host system. Rapid7 published a technical writeup after notifying the cybersecurity community of its successful reproduction of the flaw and confirming its danger across Windows and Linux systems alike.

The company noted that a threat actor can read files provided they know the path and the file is not locked. Per BleepingComputer, CVE-2024-28995 proof-of-concept (PoC) is already employed by threat actors, but the attack is relatively unsophisticated. For now.

Naomi Buckwalter, director of product security at Contrast Security, told Spiceworks News & Insights, “This SolarWinds Serv-U vulnerability (CVE-2024-28995) is exactly the kind of widespread issue that keeps security professionals up at night. Here’s why it’s concerning: 

• Easy to Exploit: The fact that attackers are using publicly available PoCs means the barrier to entry for malicious actors is incredibly low. Any script kiddie with an internet connection can potentially launch an attack.
• Widespread Impact: This vulnerability affects multiple SolarWinds Serv-U products across several versions. Unfortunately, that means a large number of potential targets (and the organizations that use them) are at risk.
• Potential for ‘Chained’ Attacks: Successful exploitation of this vulnerability could be a stepping stone for attackers. By gaining access to sensitive information like credentials and system files, attackers can use that information to launch further attacks, a technique called ‘chaining.’ This can lead to a more widespread compromise, potentially impacting other systems and applications.”

Greynoise Labs deployed two copies of an identical honeypot that appears legitimate and vulnerable. In one example, the company discovered that an attacker with an IP from China copy-pasted the PoC payload without testing it.

See More: Critical Vulnerabilities Open VMware VMs to Remote Code Execution

In the other honeypot, also originating from China, the attacker tweaked their attempts in what Greynoise security researcher Ron Bowes determined was for four hours. “We see people actively experimenting with this vulnerability – perhaps even a human with a keyboard,” Bowes said.

“I wonder if they scanned the internet several times, or if they kept coming back to my server specifically? I’ll have to keep an eye out for them, but we’ll probably never know! I hope they’re happy with the fake files they got, in any case.”

Greynoise Labs noted that the most targeted data have been files containing Linux users’ account data, Windows configuration settings, and FTP server startup logs.

Admins can assess their exposure through an independent researcher’s CVE-2024-28995 bulk scanner with a single or bulk target scan. IT administrators can also check if their organizations have any of the following vulnerable versions of SolarWinds Serv-U installed: Serv-U File Server 15.4.2.126 and earlier, Serv-U FTP Server 15.4, Serv-U Gateway 15.4, and Serv-U MFT Server 15.4.

Buckwalter advised the following to fix the flaw:

“Input Validation: The core issue lies in insufficient validation of user-provided paths. The fix involves implementing robust input validation routines to ensure path requests only access authorized directories. This validation should include: 

• Sanitization: Remove any special characters or sequences that could be used for path traversal attacks (e.g., “..”, “../”).
• Whitelist approach: Instead of blacklisting malicious paths, define a whitelist of acceptable directories users can access. This approach is more secure and easier to maintain.

Secure Coding Practices: Employ secure coding practices to prevent this type of vulnerability from recurring. This includes:

• Least Privilege: Applications should only have access to the specific directories and files they need to function.
• Escaping Mechanisms: If user-provided data is used to construct file paths, proper escaping mechanisms should be implemented to prevent malicious code injection.

Code Reviews: Regular code reviews focusing on security best practices can help identify and address potential vulnerabilities before they are exploited.”

CVE-2024-28995 was discovered by Web Immunify CEO and NATO penetration tester Hussein Daher. SolarWinds released the Serv-U directory transversal vulnerability on June 6, 2024.

MORE ON VULNERABILITY MANAGEMENT

• Authentication Bypass Vulnerability Impacts Multiple ASUS Router Models
• Malicious Extensions and Vulnerability Impact Chrome Users – Spiceworks
• Atlassian Confluence Users Urged to Patch Critical Security Bug