SolarWinds, the corporate on the middle of a provide chain assault that compromised 9 US businesses and 100 personal corporations, is scrambling to include a brand new safety menace: a essential zero-day vulnerability in its Serv-U product line.
Microsoft found the exploits and privately reported them to SolarWinds, the latter firm said in an advisory revealed on Friday. SolarWinds stated the assaults are fully unrelated to the supply chain attack found in December.
“Microsoft has supplied proof of restricted, focused buyer impression, although SolarWinds doesn’t at the moment have an estimate of what number of clients could also be instantly affected by the vulnerability,” firm officers wrote. “SolarWinds is unaware of the id of the possibly affected clients.”
Solely SolarWinds Serv-U Managed File Switch and Serv-U Safe FTP—and by extension the Serv-U Gateway, which is a part of these two merchandise—are affected by this vulnerability, which permits attackers to remotely execute malicious code on susceptible programs.
If exploited, an attacker can achieve privileged entry to machines internet hosting Serv-U merchandise. An attacker might then set up packages; view, change, or delete knowledge; or run packages on the affected system. The vulnerability exists within the newest Serv-U model 15.2.3 HF1, launched on Might 5, and all prior variations.
SolarWinds has issued a hotfix to mitigate the assaults whereas the corporate works on a everlasting answer. Individuals operating Serv-U model 15.2.3 HF1 ought to apply hotfix (HF) 2; these utilizing Serv-U 15.2.3 ought to apply Serv-U 15.2.3 HF1, then apply Serv-U 15.2.3 HF2; and people operating Serv-U variations prior to fifteen.2.3 ought to improve to Serv-U 15.2.3, then apply Serv-U 15.2.3 HF1, then apply Serv-U 15.2.3 HF2. The corporate recommends clients set up the fixes instantly.
The hotfixes can be found here. Disabling SSH entry additionally prevents exploitation.
The federal authorities has attributed final yr’s provide chain assault to hackers working for Russia’s FSB, the successor to the KGB, which has carried out espionage-focused hacking for many years. That marketing campaign exploited vulnerabilities within the SolarWinds community to take management of the Austin, Texas-based firm’s software program construct system.
The hackers used that entry to push a malicious software update to about 18,000 clients of SolarWinds’ Orion community administration product. Of these clients, roughly 110 acquired a follow-on assault that put in a later-stage payload that exfiltrated proprietary knowledge. The malware put in within the assault marketing campaign is named Sunburst. Once more, SolarWinds stated the exploits underway now haven’t any connection.
Late final yr, zero-day vulnerabilities in SolarWinds’ Orion product came under exploit by a special set of attackers that researchers have tied to China’s authorities. These attackers put in malware that researchers name SuperNova. Risk actors linked to China have additionally focused SolarWinds. At the very least one US authorities company was focused on this operation.