SolarWinds Fixes Severe Serv-U Vulnerability (CVE-2024-28995): Overview and Response Guide
In this article
Introduction
SolarWinds has recently addressed a critical security flaw, designated as CVE-2024-28995, in its Serv-U Managed File Transfer and Secure FTP software. This vulnerability, discovered by Hussein Daher, involves a directory traversal flaw that allows unauthenticated attackers to access sensitive files on the host system.
Understanding CVE-2024-28995
CVE-2024-28995 exploits a directory traversal vulnerability in SolarWinds Serv-U versions up to 15.4.2 HF 1. Directory traversal vulnerabilities permit attackers to access files and directories that are stored outside the web server’s root directory. The attackers can read sensitive information which could lead to further exploits or system compromises.
Technical Details and Impact
The flaw was particularly severe because it can be exploited remotely without requiring user interaction, making it trivially exploitable. The vulnerability has a high severity rating due to its potential to provide attackers access to sensitive data such as system configurations and user credentials.
SolarWinds’ Response
In response to this vulnerability, last week SolarWinds issued a hotfix, Serv-U 15.4.2 HF 2, which patches the flaw and is essential for mitigating potential threats. The hotfix is applicable to both Windows and Linux operating systems across 32-bit and 64-bit architectures.
Steps for Mitigation
- Update to the Latest Version: Organizations using Serv-U should immediately upgrade to version 15.4.2 HF 2 to close the security gap left by CVE-2024-28995.
- Patch Installation: After downloading the hotfix, system administrators should:
- Stop all Serv-U processes.
- Replace the necessary files as detailed in the hotfix instructions.
- Restart the Serv-U software.
- Verify System Integrity: After applying the hotfix, it’s crucial to check system logs and monitor network traffic to ensure there are no signs of compromise or ongoing unauthorized activities.
- Regular Security Audits: Regularly review and update all software to the latest versions and maintain rigorous security practices to protect against future vulnerabilities.
IONIX Response
For IONIX customers who are receiving a complete view of their external attack surface, CVE-2024-28995 details are available in our Threat Center (link valid for logged-in customers and prospects) – this helps to understand if any related FQDNs (Fully Qualified Domain Names) in your infrastructure have been exploited. IONIX Security Research Team developed a payload to validate for our customers’ specific exploitable assets. IONIX also offers a free scan to those wishing to check for their exploitable FQDNs.
Conclusion
The proactive disclosure and patching of CVE-2024-28995 by SolarWinds highlights the critical nature of maintaining up-to-date systems and the importance of quick response to discovered vulnerabilities. Organizations should continually assess their exposure to such vulnerabilities and swiftly apply recommended patches and updates to safeguard their information systems. IONIX customers have exploit simulation tools to assess their risk and to help remediate.
For detailed guidance and technical documentation on the vulnerability and patch, refer to SolarWinds’ official advisory and support documentation (SolarWinds) (Help Net Security) (Lodestone Security) .