Active Exploitation of SolarWinds Serv-U Path-Traversal Vulnerability

June 20, 2024

Threat actors are currently exploiting a path-traversal vulnerability in SolarWinds Serv-U, using publicly accessible proof-of-concept (PoC) exploits. While these attacks are not overly complex, they underscore the dangers posed by unpatched systems, underlining the critical need for administrators to implement security patches.

The vulnerability, known as CVE-2024-28995, is a severe directory traversal flaw that permits unauthenticated attackers to read any files from the filesystem by generating unique HTTP GET requests. This vulnerability is the result of insufficient path traversal sequence validation, allowing attackers to evade security measures and access confidential files. This flaw affects several SolarWinds products, particularly older versions (15.3.2 and earlier), which are already unsupported and will reach the end of life in February 2025.

The exploitation of this flaw could lead to unauthorized file access and potentially expose sensitive data, possibly resulting in an extended compromise. SolarWinds issued the 15.4.2 Hotfix 2, version 15.4.2.157, on June 5, 2024, to mitigate this vulnerability by implementing enhanced validation procedures.

Over a recent weekend, Rapid7 analysts published a technical report outlining detailed steps on how to exploit the directory traversal vulnerability in SolarWinds Serv-U to read arbitrary files from the affected system. The following day, an independent Indian researcher released a PoC exploit and a bulk scanner for CVE-2024-28995 on GitHub.

Rapid7 subsequently cautioned about the simplicity of exploiting the flaw, estimating that between 5,500 and 9,500 instances exposed to the internet are potentially vulnerable. GreyNoise established a honeypot that impersonates a vulnerable Serv-U system to observe and analyze attempts to exploit CVE-2024-28995. The analysts noted various attack methods, including manual exploitation attempts as well as automated ones.

Attackers utilize platform-specific path traversal sequences, circumventing security checks using incorrect slashes, which the Serv-U system later rectifies, allowing unauthorized file access. Typical payloads on Windows are 'GET /?InternalDir=/../../../../windows&InternalFile=win.ini' and on Linux it's 'GET /?InternalDir=........etc&InternalFile=passwd.' The most frequently targeted files observed by GreyNoise are: Attackers aim at these files to elevate their privileges or identify additional opportunities in the compromised network.

GreyNoise has reported instances where attackers seem to copy-paste exploits without testing, resulting in unsuccessful attempts. However, in other exploitation attempts originating from China, the attackers demonstrated persistence, adaptability, and a deeper understanding. According to GreyNoise, they experimented with different payloads and formats for four hours and modified their approach based on the server's responses.

With confirmed attacks in progress, it is imperative for system administrators to apply the available patches as soon as possible.

Latest News

• Chinese Cyber Espionage Group UNC3886 Exploits Fortinet and VMware Zero-Days
• Critical Vulnerability in Rancher Kubernetes Engine Risks Exposure of Sensitive Credentials
• Critical Security Flaws in VMware vCenter Server Addressed: Immediate Patching Urged
• Discord Spy Campaign Uses Emojis to Control Malware; Exploits Old Linux Flaw
• ASUS Issues Critical Firmware Update for Seven Router Models