Vulnerability in SolarWinds Serv-U Fileserver being Exploited

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

11:00am, 13 July 2021

TLP Rating: Clear

Vulnerability in SolarWinds Serv-U Fileserver being Exploited

SolarWinds has released an update for an actively exploited vulnerability in their Serv-U Secured FTP and Serv-U Managed File Transfer Server software. This vulnerability only affects servers with the Serv-U SSH enabled in the environment. This vulnerability allows for remote code execution with administrative privileges, and allows an attacker to take control of the device.

What's happening

Systems affected

Systems running Serv-U 15.2.3 HF1 and earlier, including:

  • Serv-U Managed File Transfer Server
  • Serv-U Secured FTP

What this means

An attacker can gain control over the server running Serv-U, and use this access to manipulate data, or possibly gain access to other devices in the network.

What to look for

How to tell if you're at risk

You are at risk if your organisation runs an affected version of Serv-U and has the Serv-U SSH service enabled and accessible in the environment.

How to tell if you're affected

The presence of certain exceptions in the DebugSocketlog.txt log file, in addition to unusual connections to the SSH service, or the web application on port 443, could indicate compromise.

 

For further information, see the How can I tell if my environment has been compromised External Link section of SolarWinds’ advisory.

What to do

Prevention

CERT NZ recommends that you update your Serv-U software to Serv-U 15.2.3 HF2 immediately.

Mitigation

If you are unable to update immediately, consider disabling the Serv-U SSH service until you able to apply the update.

More information

SolarWinds’ security advisory. External Link

 If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384