Dive Brief:
- Researchers have reproduced a high-severity vulnerability in the SolarWinds Serv-U file-transfer service that is incredibly easy to exploit, according to a blog post from Stephen Fewer, principal security researcher at Rapid7. Companies should immediately patch the vulnerability, Fewer said Tuesday.
- The directory traversal vulnerability, listed as CVE-2024-28995, allows an unauthenticated attacker to read sensitive files on the targeted server. The vulnerability has a CVSS score of 8.6.
- While no exploitation activity has taken place, Rapid7 researchers warn that could change very soon and urged users to apply a hotfix that SolarWinds issued last Wednesday.
Dive Insight:
High severity vulnerabilities like CVE-2024-28995 have previously been targeted in smash-and-grab situations, Rapid7 said. In those cases, hackers have quickly gained access to victims and used the exfiltrated data for extortion.
For example, smash-and-grab campaigns took place when targeting vulnerabilities in the MOVEit file-transfer service, CVE-2023-34362; GoAnywhere MFT, CVE-2023-0669; and more recently in CrushFTP, CVE-2024-4040.
Fewer said in this case an unauthenticated attacker can read arbitrary files stored on an affected Serv-U system.
“The impact of this is the total loss of confidentiality for every file the attacker reads,” Fewer said via email. “As the vulnerable product is a file sharing solution, by design there will be files located on the vulnerable system intended to be shared by users in a private and secure manner.”
SolarWinds has been working with customers to get them to apply the previously issued mitigations.
“We have disclosed and patched this vulnerability and are not aware of any evidence that this issue has been exploited,” a SolarWinds spokesperson said via email. “Because Serv-U is an on-premises software, we are communicating transparently with customers to ensure they are aware of the steps they should take to apply the patch and better protect their environments.”
The Serv-U vulnerability was discovered by security researcher Hussein Daher.
SolarWinds continues to deal with the fallout from the 2020 Sunburst attacks, as the Securities and Exchange Commission filed civil charges in 2023 against the company and its CISO claiming it misled investors about security capabilities.
The company has vehemently denied those charges and has worked closely with federal officials to provide learnings with the wider security community since those attacks.
Source link