Enterprise IT software program vendor uncertain of scope of affect
SolarWinds has patched a remote code execution (RCE) vulnerability in its Serv-U file switch merchandise after Microsoft noticed exploitation in opposition to “a restricted, focused set of consumers” by “a single menace actor”.
“A menace actor who efficiently exploited this vulnerability may run arbitrary code with privileges,” mentioned SolarWinds. “An attacker may then set up packages; view, change, or delete information; or run packages on the affected system.”
Having been alerted to the flaw and hostile exploitation by Microsoft, SolarWinds mentioned it “mobilized to deal with it shortly”, issuing a hotfix on July 9.
The enterprise IT software program vendor mentioned it doesn’t but “have an estimate of what number of clients could also be instantly affected by the vulnerability”, or the id of any doubtlessly affected clients.
SolarWinds mentioned the flaw “is totally unrelated to the Sunburst provide chain assault” that unfolded on the tail finish of 2020, by which nation-state attackers compromised SolarWinds shoppers comparable to Microsoft, FireEye, and US authorities businesses through vulnerabilities in SolarWinds’ Orion software.
Indicators of compromise
The vulnerability exists in all Serv-U variations as much as and together with 15.2.3 HF1, and has been addressed in Serv-U 15.2.3 HF2.
“We advocate all clients utilizing Serv-U set up this repair instantly for the safety of your atmosphere,” mentioned SolarWinds.
SolarWinds has confirmed that no different SolarWinds or N-able (previously SolarWinds MSP) merchandise are affected by the flaw.
The corporate has warned Serv-U clients that the throwing of exceptions inside their atmosphere may very well be an indication of compromise – though there are different potential causes – as a result of exploitation takes the type of Return Oriented Programming (ROP) assaults.
One other potential indicator of compromise is “doubtlessly suspicious connections through SSH”.
Clients are protected from assaults exploiting the vulnerability when SSH is disabled, added SolarWinds.
The corporate additionally mentioned that “further particulars of the vulnerability will probably be printed after giving clients ample time to improve for the safety of their environments”.
The Every day Swig has put further queries to SolarWinds, together with one associated to the scope of affect. We’ll replace this text ought to we obtain a response.
DON’T FORGET TO READ Research exposes vulnerabilities in IP camera firmware used by multiple vendors