Overview
A critical zero-day vulnerability (CVE-2021-35211) was discovered in SolarWinds Serv-U. A Chinese threat actor (DEV-0322) was found to be actively exploiting the identified zero-day vulnerability, according to a report by Microsoft.
Description
Microsoft recently discovered a critical zero-day vulnerability in SolarWinds Serv-U (CVE-2021-35211). The identified vulnerability is a Remote Code Execution (RCE) type vulnerability that exist in the SolarWinds Serv-U File Transfer Servers (Managed File Transfer Server and Serv-U FTP Server).
Specifically, the flaw resides at the Secure Shell (SSH) protocol implementation in the SolarWinds Serv-U. The vulnerability could be exploited remotely by threat vectors if the Serv-U’s SSH is exposed to Internet. Due to the vulnerability, remote attackers could run arbitrary code and install arbitrary programs in the the Serv-U FTP software and further cause unauthorized disclosure, modification or destruction of data.
The discovered vulnerability was found to be actively exploited by a Chinese treat actor (DEV-0322) according to a report by Microsoft Threat Intelligence Center (MSTIC).
About the Attacker
According to MSTIC, DEV-0322 is a China based treat actor that mainly targets defense industry and software companies. As threat vectors, DEV-0322 was previously observed to have used commercial VPN solutions and compromised consumer routers.
Threat Detection
MSTIC further shared details on the the threat and the known signatures for detection. A summary of the MSTIC report is given below:
- Recently created
.txtfiles in theClient\Common\directory of the Server-U installation. These files are used to transfer the output of the cmd.exe commands to the attackers. - Adding a new global user to Serv-U with administrative rights by manually crafting an
.Archivefile in theGlobal Usersdirectory. - Compromised Serv-U processes were found to be spawning malicious child processes that are not part of the normal operation. Some example spawned child processes are:
-
mshta.exe powershell.execmd.exe(followed by command line such aswhoami,dir,./Client/Common,.\Client\Common)- Or any other processes with the command line
C:\Windows\Temp\
-
- Microsoft Defender Antivirus detection signatures:
Behavior:Win32/ServuSpawnSuspProcess.ABehavior:Win32/ServuSpawnCmdClientCommon.A
Impact
A remote adversary can exploit the SolarWinds Serv-U RCE vulnerability (CVE-2021-35211) if the SSH implementation of the product is exposed to the Internet. Successful exploitation of the vulnerability allows remote attackers could run arbitrary code and install arbitrary programs in the the Serv-U FTP software and further cause unauthorized disclosure, modification or destruction of data.
Impact Summary
Category: Remote Code Execution
CVSS 3.1 Base Score: 9.0 Critical
CVSS 3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Solution (Patch)
SolarWinds has issued patch to fix the CVE-2021-35211 RCE vulnerability after Microsoft notified the company about the active exploitation of the vulnerability in the wild. For more information about the updates/patches for this vulnerability, please refer to the SolarWinds Security Advisory.
One single vulnerability all an attacker needs.
Window Snyder
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
- https://nvd.nist.gov (CVE-2021-35211)
- Microsoft Security Blog – MSTIC (CVE-2021-35211)
- SolarWinds Security Advisory (CVE-2021-35211)
To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?
