SolarWinds, the Texas-based organization that becomes the focal point of an enormous supply chain attack late last year is now insisting customers patch a Serv-U remote code execution vulnerability used in the wild by “a sing threat actor” in attacks targeting limited numbers of customers.
“Microsoft has given an evidence of defined, targeted customer’s impact, though SolarWinds does not currently have the measure of how many customers may be directly affected by the vulnerability,” the company said in an advisory published on Friday.
“To the best of our consideration, no other SolarWinds products have been affected by this vulnerability. SolarWinds is unaware of the identification of the potentially affected customers.”
Following are the Only Impacts Servers with SSH Enabled
The 0-day vulnerability (named as CVE-2021-35211) impacts Serv-U Managed File Transfer and Serv-U Secure FTP, and it facilitates remote threat actors to run arbitrary code with advantages following successful exploitation.
According to SolarWinds, “if SSH is not enabled in the surrounding, the vulnerability does not exist.”
The error discovered by Microsoft Threat Intelligence Center (MSTIC) and Microsoft Offensive Security Research teams in the latest Serv-U 15.2.3 HF1 released in May 2021 also harms all prior versions.
SolarWinds has addressed the security vulnerability announced by Microsoft with the release of Serv-U version 15.2.3 hotfix (HF) 2. Below are some software versions with their upgrade paths:
- Serv-U 15.2.3 HF1 – Apply Serv-U HF2, available in your Customer Portal
- Serv-U 15.2.3 – Apply Serv-U 15.2.3 HF1, then apply Serv-U 15.2.3 HF2, available in the Customer Portal
- All Serv-U versions Before 15.2.3 – Upgrade to Serv-U 15.2.3, then implement Serv-U 15.2.3 HF1, then apply Serve-U 15.2.3 HF2, available in the Customer Portal
The company further stated that all the other SolarWinds and N-able products (including the various platforms like Orion Platform modules) are unaffected by CVE-2021-35211.
The US-based software firm alerted about the “SolarWinds released a hotfix Friday, July 9, 2021 and we suggest all the customers using Serv-U install this fix immediately for the security purpose of your system’s environment.”
Additionally, SolarWinds provides information on how do you know that your environment was negotiated during the attacks Microsoft reported.
Customers can also request more data by launching a customer services ticket with the subject “Serv-U Assistance.”
What is SolarWinds Orion supply-chain Attack?
The previous year, SolarWinds revealed a supply-chain attack regulated by the Russian Foreign Intelligence Service.
The threat actors hijack over the company’s internal system and malware the Orion Software Platform source code and generate released between March 2020 and June 2020.
The Trojan builds were later utilized to transmit a backdoor tracked as Sunburst to “hardly 18,000,” but, fortunately, the attackers only picked an extensively lower number of targets for second-stage exploitation.
At the same time when the attack was disclosed, SolarWind’s list of around 300,000 users across the world included more than 425 US Fortune 500 organizations, all top ten US telecom companies, and a long list of government agencies, including the US Military, the US Pentagon, the State Department of Justice, and the Office of the President of the US.
Various US government firms confirmed that they were hijacked in the SolarWinds supply chain attack, with the list consist of:
- The National Telecommunication and Information Administrations (NTIA)
- The Department of Homeland Security (DHS)
- The Department of the Treasury
- The Department of State
- The Department of Energy (DOE)
- The National Nuclear Security Administration (NNSA)
- The National Institutes of Health (NIH) (part of the U.S. Department of Health)
In March, SolarWinds noted expenses of $3.5 million from the previous year’s supply chain attack, consisting up of the costs related to remediation and the incident researches.
Even though $3.5 million doesn’t even seem too much compared to the aftermath of the SolarWinds supply-chain attack, the provoke expenses reported so long were recorded only till December 2020, with high additional costs being expected throughout the consecutive financial time.