[CDP-development] TLP:GREEN [UPDATED] (Vulnerability Alert Notification) CVE-2024-28995 - Directory Traversal Vulnerability in SolarWinds ServU

Wed Jul 17 11:18:34 PDT 2024

Good morning,

The SOC Services team is reporting on the vulnerability: CVE-2024-28995 Directory Traversal Vulnerability in SolarWinds Serv-U.  Due to its high visibility, knowledge of the software installed in the state environment, and active exploitations, we are providing this in-depth information:

History: On June 5th, 2024, SolarWinds released updates to patch their Serv-U file transfer server, addressing a directory traversal vulnerability.  CVE-2024-28995 was established as a CVE on June 6th, 2024 and is currently assigned CVSSv3 rating of 7.5 (High).  As of July 17, 2024, CISA has added the vulnerability to the Known Exploited Vulnerabilities catalog.

The following products are affected:

  *   SolarWinds Serv-U 15.4.2 HF 1 and previous versions.

Patches are available from SolarWinds to fix the vulnerability.  The fixed version is:

  *   SolarWinds Serv-U 15.4.2 HF 2.

Further information is available from SolarWinds as published in their Customer Success release notes:

  *   Serv-U 15.4.2 Hotfix 2 Release Notes - https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-4-2-Hotfix-2-Release-Notes

Intelligence: As of June 18, 2024 SolarWinds is aware that CVE-2024-28995  has been exploited in the wild.  It is very likely that each exploit will continue to be leveraged by threat actors over the coming months. Security analysts at Rapid7 published details on exploitation and later a Proof-of-Concept exploit with bulk scanner was released on GitHub.  The vulnerability is described by security researchers as being trivial to exploit.

Workarounds:  There are no workarounds at this time.

How it works:  The vulnerability can be exploited by unauthenticated attackers crafting specific HTTP GET requests for an arbitrary file on the disk, including binary files, assuming an attacker knows the path to a file, and the file is not locked.

Post-Exploit: Upon successful exploitation of the vulnerabilities, an adversary can bypass security checks and access sensitive files. Successful exploitation could also allow for chaining additional attacks.

No known indicators of compromise have been publicly shared at this time.

As of June 8, 2024 the following vulnerability plugins have been released and are currently in Tenable Security Center:
Plugin
Title
Severity
200179<https://www.tenable.com/plugins/nessus/200179>
SolarWinds Serv-U < 15.4.2 HF2
High

Additionally, as of June 15, 2024 the following vulnerability plugins have been released and are currently for Tenable WAS:
Plugin
Title
Severity
114302<https://www.tenable.com/plugins/was/114302>
SolarWinds Serv-U < 15.4.2 HF 2 Directory Traversal
High

Recommended Actions:

  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

[cid:image001.png at 01DABE2A.11E62410]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable, and secure state technology systems that equitably serve Oregonians."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240717/5de4734d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240717/5de4734d/attachment-0001.png>