There is a new security zero-day vulnerability (CVE-2021-35211) threatening SolarWinds, or more particularly, its Serv-U product line. The exploit was discovered and reported to SolawWinds by Microsoft. According to the official advisory, the newly disclosed zero-day “only affects affects Serv-U Managed File Transfer and Serv-U Secure FTP and does not affect any other SolarWinds or N-able (formerly SolarWinds MSP) products.”
Apparently, Microsoft recently notified SolarWinds of the issue related to Serv-U Managed File Transfer Server and Serv-U Secured FTP. The impact of the exploit is limited and targeted, though an exact estimate of affected customers is still not known. SolarWinds is also unaware of the identity of potentially affected customers, according to the advisory.
CVE-2021-35211
CVE-2021-35211 related to Serv-U version 15.2.3 HF1 which was released on May 2021. Prior versions are also affected. A successful exploit of the vulnerability could lead to arbitrary code execution with privileges. Once this is achieved, a threat actor could install and run programs, view, change, and delete date on the vulnerable system.
Serv-U version 15.2.3 hotfix (HF) 2 has been released to address CVE-2021-35211. You can refer to the official advisory for more technical details.
Last Year’s SolarWinds Attack
Last year, the Sunburst Trojan was used against the SolarWinds in an attack carried out through their own application called Orion. Researchers believed that the well-known Russian hacking group called APT29 (alternatively known as “Cozy Bear”) was behind the attack.
The cybercriminals were able to infiltrate the email systems of the company using a malicious package, described as a modified version of the SolarWinds Orion program. Apparently the criminals were using malware-infected updates against the targeted networks.
Following the discovery of the malware and given the severity of the situation, a joint team of experts devised a kill switch to stop the malware from propagating further. Experts from Microsoft, GoDaddy, and FireEye detected that a single hacker-controlled domain is operating the main command and control service. The kill switch was designed to disable new infections and also block the running of previous ones by stopping the activity to the domain.