Analysis Summary

Threat actors are using publicly accessible proof-of-concept (PoC) exploits to aggressively take advantage of a SolarWinds Serv-U path-traversal vulnerability. The observed behavior highlights the risk posed by unpatched endpoints, highlighting the urgent need for administrators to deploy the security updates, even though the attacks don't seem very complex.

This high-severity directory traversal vulnerability, identified as CVE-2024-28995, lets unauthorized users access any file from the filesystem by creating specially crafted HTTP GET requests. Path traversal sequences are not sufficiently validated, which creates a vulnerability that allows attackers to get around security measures and access private files. The following SolarWinds products are affected by the vulnerability:

• Serv-U File Server 15.4.2.126 and earlier
• Serv-U MFT Server 15.4
• Serv-U Gateway 15.4
• Serv-U FTP Server 15.4

Although they are already unsupported and will reach the end of life in February 2025, older versions (15.3.2 and prior) are also impacted. By taking advantage of the vulnerability, sensitive data could be exposed to unauthorized file access, which could result in a longer-term breach. On June 5, 2024, SolarWinds issued version 15.4.2.157, the 15.4.2 Hotfix 2, to address this vulnerability by implementing enhanced validation procedures.

Cybersecurity analysts released a technical write-up that included step-by-step instructions for taking advantage of SolarWinds Serv-U's directory traversal vulnerability to read any file from the compromised machine. One day later, a PoC exploit and bulk scanner for CVE-2024-28995 were made available on GitHub by an independent researcher. Researchers estimated the amount of internet-exposed and potentially susceptible instances between 5,500 and 9,500 and cautioned about how easy it is to exploit the bug.

To track and examine attempts at exploiting CVE-2024-28995, researchers deployed a honeypot that imitates a vulnerable Serv-U system. The analysts saw a variety of attack techniques, such as automated and manual attempts to exploit the vulnerability indicated by hands-on keyboard actions. Attackers circumvent security checks by exploiting erroneous slashes in platform-specific path traversal sequences, which the Serv-U system then fixes to permit unauthorized file access.

Attackers use the files as a means of increasing their level of access or looking for other chances within the compromised network. Attackers that seem to copy-paste exploits without testing, leading to unsuccessful attempts, are reported by researchers. Other Chinese attempts at exploitation demonstrate the attackers' adaptability, tenacity, and increased comprehension.

According to experts, they spent four hours experimenting with various payloads and formats and modified their strategy in reaction to server answers. System administrators need to implement the available solutions as soon as feasible because attacks have been confirmed to be underway.

Impact

• Unauthorized Access
• Exposure of Sensitive Data

Indicators of Compromise

CVE

• CVE-2024-28995

Affected Vendors

Remediation

• Upgrade to the latest version of SolarWinds Products, available from the SolarWinds Website.
• Organizations must test their assets for the vulnerability mentioned above and apply the available security patch or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.