Executive Summary

    On June 5th, SolarWinds disclosed a vulnerability in their file transfer application Serv-U. The vulnerability is being tracked as CVE-2024-28995 and is a directory transversal vulnerability that would allow an attacker to read sensitive files on the target machine.

    This vulnerability was discovered by a third-party security researcher named Hussein Daher, who discovered this vulnerability affecting SolarWinds Serv-U 15.4.2 HF 1 and previous versions. SolarWinds released a patch with their advisory found here. Successful exploitation of this vulnerability could lead to further compromise of the system or lateral movement within the network. Third party security firm Feedly further reported this vulnerability would allow a remote attacker to gain unauthorized access to sensitive information stored on the server such as credentials, configuration files, or other sensitive data. We expect financially motivated threat actors will study the patch to develop and deploy weaponized exploits in the coming days. Given these factors, Lodestone believes immediate deployment of SolarWinds released software patches is crucial.

    Affected Systems or Products

    The vulnerability affects the following SolarWinds products:

    Products

    • Serv-U FTP Server

    • Serv-U Gateway

    • Serv-U MFT Server

    Versions

    • All Versions Up to 15.4.2 HF 1

    Patches

    SolarWinds provided software patches at the time of disclosure. Users with supported versions of Serv-U can download SolarWinds's Hotfix update patches here and apply them as follows:

    1. 1.

      Shut down all running Serv-U processes.

      1. 1.

        Right-click the tray icon and select Stop Serv-U.

      2. 2.

        Right-click the tray icon and select Exit Tray.

    2. 2.

      Replace the following files and folders with the ones you backed up during installation:

      1. 1.

        In Windows OS:

        1. 1.

          <Serv-U-InstallDir>\Serv-U.exe

        2. 2.

          <Serv-U-InstallDir>\Serv-U-Tray.exe

        3. 3.

          <Serv-U-InstallDir>\Serv-U.dll

        4. 4.

          <Serv-U-InstallDir>\Serv-U-RES.dll

        5. 5.

          <Serv-U-InstallDir>\RhinoNET.dll

        6. 6.

          <Serv-U-InstallDir>\RhinoRES.dll

      2. 2.

        In Linux OS:

        1. 1.

          <Serv-U-InstallDir>/Serv-U

    3. 3.

      Extract the hotfix archive to a temporary location.

    4. 4.

      Open the folder for the platform on which Serv-U is installed.

    5. 5.

      On Linux, modify the permissions of the file by executing the following command:

      1. 1.

        chmod u+xs Serv-U

    6. 6.

      Copy the contents of this folder to your Serv-U installation directory.

    7. 7.

      Start the Serv-U Tray application.

    8. 8.

      Right-click the Serv-U Tray icon and select Start Serv-U.

    How Beazley Security is responding

    Beazley Security is monitoring client perimeter devices discovered by our Attack Surface Management Solution, Karma, to identify potentially impacted devices and support organizations in remediation of any issues found.

    Sources