SolarWinds urges customers to patch zero-day flaw actively exploited in the wild

Bug affects a pair of IT management tools - Serv-U Managed File Transfer and Serv-U Secure FTP

Software firm SolarWinds has released a patch for a previously unknown zero-day vulnerability that is being currently being exploited by a single threat actor in attacks targeting a limited number of customers.

In a security advisory published on Friday, the company said that the remote code execution (RCE) bug, indexed as CVE-2021-35211, impacts a pair of IT management tools - Serv-U Managed File Transfer and Serv-U Secure FTP - which are used to manage remote file servers.

"The vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions," the firm stated.

A successful exploit would potentially enable a threat actor to run arbitrary code with privileges.

The attacker could then run or install malicious programmes, as well as view, modify or delete data on the affected machine.

"If SSH is not enabled in the environment, the vulnerability does not exist," SolarWinds said.

"To the best of our understanding, no other SolarWinds products have been affected by this vulnerability."

SolarWinds is unaware of "the identity of the potentially affected customers" and does not have "an estimate of how many customers may be directly affected by the vulnerability".

Microsoft Offensive Security Research and Microsoft Threat Intelligence Center (MSTIC) teams were credited for the discovery of the zero-day flaw.

The company is now urging customers to install its freshly deployed hotfix (Serv-U version 15.2.3 hotfix 2) as soon as possible to prevent the bug from causing undue headaches. Customers of the products need to log into their customer portals to access updates.

SolarWinds has also listed many suggestions for administrators to check if they have been compromised through the zero-day bug.

"Is your environment throwing exceptions? This attack is a Return Oriented Programming (ROP) attack," the advisory says.

"When exploited, the vulnerability causes the Serv-U product to throw an exception and then intercepts the exception handling code to run commands. Please note, several reasons exist for exceptions to be thrown, so an exception itself is not necessarily an indicator of attack."

SolarWinds also says that CVE-2021-35211 is "completely unrelated" to last year's massive cyber espionage campaign in which alleged Russian hackers exploited a vulnerability in SolarWinds' Orion software to break into the computer networks of several government agencies and private firms.

The SolarWinds hack was disclosed in December after the US Treasury Department and the US Department of Commerce's National Telecommunications and Information Administration (NTIA) were found to have been compromised in a massive cyber campaign.

The attackers were able to breach networks after compromising SolarWinds' network monitoring software Orion, which was widely used by various government departments and private companies.

The hackers inserted malicious code into legitimate software updates for the Orion software, which allowed them remote access into the victim's environment.

Multiple US federal agencies confirmed that they were compromised in the SolarWinds supply-chain attack, with the list including:

The White House blamed Russia for the intelligence coup and sanctioned several Russian officials and organisations in April. Russia has denied the allegations, saying it had no involvement in the hack.