A Vulnerability in SolarWinds Serv-U Could Allow for Path Transversal
ITS ADVISORY NUMBER:
2024-068
DATE(S) ISSUED:
06/07/2024
SUBJECT:
A Vulnerability in SolarWinds Serv-U Could Allow for Path Transversal
OVERVIEW:
A vulnerability has been discovered in SolarWinds Serv-U that could allow for path transversal that could lead to disclosure of sensitive information. SolarWinds Serv-U is a managed file transfer solution used to store and share files across an enterprise network. It can be hosted on both Windows and Linux-based servers. Successful exploitation of this vulnerability could allow for the disclousure of sensitive information in the context of the files and directories. Depending on the permissions associated with the files, an attacker could view content within them. Files with stricter access controls and file permissions could be less impacted than those without.
THREAT INTELLEGENCE:
There are currently no reports of this vulnerability being exploited in the wild.
SYSTEMS AFFECTED:
- SolarWinds Serv-U versions prior to 15.4.2 HF 2
RISK:
Government:
- Large and medium government entities: High
- Small government entities: Medium
Businesses:
- Large and medium business entities: High
- Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY:
A vulnerability has been discovered in SolarWinds Serv-U that could allow for path transversal. An unauthenticated adversary can access files stored outside the server root directory using “dot-dot-slash (../)” sequences in the URL for the management console.
Details of this vulnerability are as follows:
Tactic: Discovery (TA0007)
Technique: File and Directory Discovery (T1083)
- SolarWinds Serv-U Directory Transversal Vulnerability (CVE-2024-28995)
Successful exploitation of this vulnerability could allow for the disclosure of sensitive information in the context of the files and directories. Depending on the permissions associated with the files, an attacker could view the content within them. Files and directories with stricter access controls could be less impacted than those without.
RECOMMENDATIONS:
We recommend the following actions be taken:
- Apply appropriate updates provided by SolarWinds to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
- Restrict access by setting directory and file permissions that are not specific to users or privileged accounts. (M1022: Restrict File and Directory Permissions)
- Safeguard 3.3: Configure Data Access Control Lists: Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.
- Safeguard 3.3: Configure Data Access Control Lists: Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.
- Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. (M1035: Limit Access to Resource Over Network)
- Safeguard 4.1: Establish and Maintain a Secure Configuration Process: Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
- Use intrusion detection signatures to block traffic at network boundaries. (M1031: Network Intrusion Prevention)
- Safeguard 13.3: Deploy a Network Intrusion Detection Solution: Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.
- Safeguard 13.8: Deploy a Network Intrusion Prevention Solution: Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
- Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 13.10: Performing Application Layer Filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.
REFERENCES:
SolarWinds:
https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28995
Help Net Security:
https://www.helpnetsecurity.com/2024/06/07/cve-2024-28995/