SolarWinds releases security advisory after Microsoft discovers vulnerability

Updated: Microsoft said the attack targeted "entities in the US Defense Industrial Base Sector and software companies" while also attributing it to a group in China.

SolarWinds released updates for their Serv-U Managed File Transfer and Serv-U Secure FTP tools this weekend after being notified of Microsoft's vulnerability. 

In an advisory sent out on Friday and updated on Saturday, SolarWinds said Microsoft "reported to SolarWinds that they had discovered a remote code execution vulnerability in the SolarWinds Serv-U product." SolarWinds added that the Serv-U Gateway is a component of the Serv-U Managed File Transfer and Serv-U Secure FTP tools and is not a separate product. 

The vulnerability can be found in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. Microsoft provided the company with a proof of concept of the exploit and said that at least one threat actor has already used it.  

"A threat actor who successfully exploited this vulnerability could run arbitrary code with privileges. An attacker could then install programs; view, change, or delete data; or run programs on the affected system," the advisory said.

"Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability. SolarWinds is unaware of the identity of the potentially affected customers." 

A hotfix -- Serv-U version 15.2.3 hotfix (HF) 2 -- has been developed and released. 

SolarWinds said customers of the product should log into their Customer Portals to access updates. 

Those who are not on active maintenance and currently using a Serv-U product said it was offering customer service help. 

Microsoft's Threat Intelligence Center released its own memo on Tuesday, attributing the 0-day remote code execution exploit to DEV-0322, a group "operating out of China." Microsoft said it made the attribution based on victimology, tactics, and procedures. They also noted that Microsoft 365 Defender managed to protect their customers from the attack "even before the security patch was available."

"MSTIC has observed DEV-0322 targeting entities in the US Defense Industrial Base Sector and software companies. This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure," Microsoft said. 

"By reviewing telemetry, we identified features of the exploit, but not a root-cause vulnerability. MSTIC worked with the Microsoft Offensive Security Research team, who performed vulnerability research on the Serv-U binary and identified the vulnerability through black box analysis. Once a root cause was found, we reported the vulnerability to SolarWinds, who responded quickly to understand the issue and build a patch."

To check if you have been compromised through this vulnerability, SolarWinds listed a number of suggestions and questions administrators should ask. 

"Is your environment throwing exceptions? This attack is a Return Oriented Programming (ROP) attack. When exploited, the vulnerability causes the Serv-U product to throw an exception and then intercepts the exception handling code to run commands. Please note, several reasons exist for exceptions to be thrown, so an exception itself is not necessarily an indicator of attack," SolarWinds said. 

"Please collect the DebugSocketlog.txt log file. In the log file DebugSocketlog.txt you may see an exception, such as: 07] Tue 01Jun21 02:42:58 - EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x041ec066; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5," the company added, noting that exceptions "may be thrown for other reasons so please collect the logs to assist with determining your situation."

SolarWinds added that administrators should look for "connections via SSH from the following IP addresses, which have been reported as a potential indicator of attack by the threat actor: 98.176.196.89 68.235.178.32 or, look for connections via TCP 443 from the following IP address: 208.113.35.58."

SolarWinds vulnerabilities have been repeatedly targeted over the last year. In December, the company drew headlines when Russian government hackers compromised their network and deployed malicious SolarWinds Orion updates to clients that contained a backdoor called Sunburst. 

In March, it was revealed that Chinese government hackers launched another attack on a SolarWinds server.