Very High
CVE-2021-35211
CVE-2021-35211
Description
Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.
Add Assessment
Technical Analysis
SolarWinds was recently notified by Microsoft of a security vulnerability (RCE) related to Serv-U Managed File Transfer Server and Serv-U Secured FTP and have developed a hotfix to resolve this vulnerability. While Microsoft’s research indicates this vulnerability exploit involves a limited, targeted set of customers and a single threat actor, our joint teams have mobilized to address it quickly.
The vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. A threat actor who successfully exploits CVE-2021-34527 can run arbitrary code with SYSTEM privileges and install programs; view, change, or delete data, and run programs.
Technical Analysis
I looked at the patch briefly and confirmed this appears to be unauthenticated remote code execution, specifically of the memory corruption variety, in the SSH (SFTP) service that’s available to Serv-U. Note that services are opt-in for this product, so SSH would need to be enabled for this bug to be exploitable. However, since this vulnerability is being exploited in the wild (albeit in targeted attacks), you’ll absolutely want to patch it, particularly for a product that is likely to be exposed to the Internet.
CVSS V3 Severity and Metrics
General Information
Vendors
- solarwinds
Products
- serv-u,
- serv-u 15.2.3
Exploited in the Wild
References
Miscellaneous
