Vulnerability in SolarWinds Serv-U Could Allow Traversal Path


MS-ISAC NOTICE NUMBER:

2024-068

ISSUE DATE(S):

06/07/2024

PREVIEW:

A vulnerability has been discovered in SolarWinds Serv-U that could allow a cross-path that could lead to the disclosure of sensitive information. SolarWinds Serv-U is a managed file transfer solution used to store and share files across an enterprise network. It can be hosted on Windows and Linux servers. Successful exploitation of this vulnerability could allow disclosure of sensitive information in the context of files and directories. Depending on the permissions associated with the files, an attacker could view their content. Files with stricter access controls and file permissions might be less affected than those without them.

THREAT INTELLIGENCE:

There are currently no reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

  • SolarWinds Serv-U versions prior to 15.4.2 HF 2

RISK:

Government:

Large and medium government entitiesHIGH

Small governmentMEDIUM

Companies:

Large and medium business entitiesHIGH

Small business entitiesMEDIUM

TECHNICAL SUMMARY:

A vulnerability has been discovered in SolarWinds Serv-U that could allow path traversal. An unauthenticated adversary can access files stored outside the server root directory using dot-dot-slash (../) sequences in the management console URL.
The details of this vulnerability are as follows:

Tactic: Discovery (TA0007)
Technical: discovery of files and directories (T1083)

  • SolarWinds Serv-U Directory Cross-sectional Vulnerability (CVE-2024-28995)

Successful exploitation of this vulnerability could allow disclosure of sensitive information in the context of files and directories. Depending on the permissions associated with the files, an attacker could view the content they contain. Files and directories with stricter access controls might be less affected than those without them.

RECOMMENDATIONS:

We recommend taking the following measures:

  • Apply appropriate updates provided by SolarWinds to vulnerable systems immediately after appropriate testing. (M1051: software update)
    o Backup 7.1: Establish and maintain a vulnerability management process: Establish and maintain a documented vulnerability management process for company assets. Review and update documentation annually or when significant changes within the business occur that could impact this protection.
    o Backup 7.4: Perform automated application patch management: Perform application updates to enterprise assets via automated patch management on a monthly or more frequent basis.
    o Backup 7.7: Fix detected vulnerabilities: Fix detected vulnerabilities in software through processes and tools on a monthly or more frequent basis, depending on the remediation process.
    o Backup 9.1: Ensure only fully supported browsers and email clients are used: Ensure that only fully supported browsers and email clients are allowed to run in the enterprise, using only the latest version of browsers and email clients provided by the provider.

  • Restrict access by setting directory and file permissions that are not specific to privileged users or accounts. (M1022: Restrict file and directory permissions)
    o Backup 3.3: Configure Data Access Control Lists: Configure data access control lists based on user needs. Apply data access control lists, also called access permissions, to local and remote file systems, databases, and applications.

  • Prevent access to file shares, remote access to unnecessary systems and services. Mechanisms to limit access may include the use of network hubs, RDP gateways, etc. (M1035: Limit access to resources on the network)
    o Backup 4.1: Establish and maintain a secure configuration process: Establish and maintain a secure configuration process for business assets (end user devices, including wearable and mobile devices, non-IT/IoT devices and servers) and software (operating systems and applications). ). Review and update documentation annually or when significant changes within the business occur that could impact this protection.
    o Backup 12.2: Establish and maintain a secure network architecture: Establish and maintain a secure network architecture. A secure network architecture must at a minimum take into account segmentation, least privilege and availability.

  • Use intrusion detection signatures to block traffic at network boundaries. (M1031: Prevention of network intrusions)
    o Backup 13.3: Deploy a network intrusion detection solution: Deploy a network intrusion detection solution on company assets, if applicable. Example implementations include using a network intrusion detection system (NIDS) or equivalent cloud service provider (CSP) service.
    o Backup 13.8: Deploy a network intrusion prevention solution: Deploy a network intrusion prevention solution, if applicable. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.

  • Use features to detect and block conditions that could lead to or indicate the occurrence of a software exploit. (M1050: Exploit Protection)
    o Backup 13.10: Perform application layer filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News

CISA publishes seven advice on industrial control systemsCISA publishes seven advice on industrial control systems

CISA publishes seven advice on industrial control systems

July 1, 2025
Several vulnerabilities in Citrix products could allow the disclosure of sensitive dataSeveral vulnerabilities in Citrix products could allow the disclosure of sensitive data

Several vulnerabilities in Citrix products could allow the disclosure of sensitive data

June 27, 2025

You may have missed

CISA publishes seven advice on industrial control systemsCISA publishes seven advice on industrial control systems

CISA publishes seven advice on industrial control systems

July 1, 2025
Several vulnerabilities in Citrix products could allow the disclosure of sensitive dataSeveral vulnerabilities in Citrix products could allow the disclosure of sensitive data

Several vulnerabilities in Citrix products could allow the disclosure of sensitive data

June 27, 2025
CISA publishes five advice from industrial control systemsCISA publishes five advice from industrial control systems

CISA publishes five advice from industrial control systems

June 17, 2025
Ransomware actors use unrefined surveillance and remote management to compromise the provider of public services billing softwareRansomware actors use unrefined surveillance and remote management to compromise the provider of public services billing software

Ransomware actors use unrefined surveillance and remote management to compromise the provider of public services billing software

June 12, 2025
Several vulnerabilities in Adobe products could allow an arbitrary code executionSeveral vulnerabilities in Adobe products could allow an arbitrary code execution

Several vulnerabilities in Adobe products could allow an arbitrary code execution

June 10, 2025
Cisa publishes four reviews of industrial control systemsCisa publishes four reviews of industrial control systems

Cisa publishes four reviews of industrial control systems

June 10, 2025