SolarWinds, the corporate on the middle of a provide chain assault that compromised 9 US companies and 100 non-public corporations, is scrambling to include a brand new safety menace: a essential zero-day vulnerability in its Serv-U product line.
Microsoft found the exploits and privately reported them to SolarWinds, the latter firm stated in an advisory revealed on Friday. SolarWinds stated the assaults are completely unrelated to the provision chain assault found in December.
“Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability,” firm officers wrote. “SolarWinds is unaware of the identity of the potentially affected customers.”
Only SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP—and by extension, the Serv-U Gateway, a element of these two merchandise—are affected by this vulnerability, which permits attackers to remotely execute malicious code on weak techniques.
An attacker can acquire privileged entry to exploited machines internet hosting Serv-U merchandise and will then set up applications; view, change, or delete knowledge; or run applications on the affected system. The vulnerability exists within the newest Serv-U model 15.2.3 HF1, launched on May 5, and all prior variations.
SolarWinds has issued a hotfix to mitigate the assaults whereas the corporate works on a everlasting answer. People working Serv-U model 15.2.3 HF1 ought to apply hotfix (HF) 2; these utilizing Serv-U 15.2.3 ought to apply Serv-U 15.2.3 HF1 after which apply Serv-U 15.2.3 HF2; and people working Serv-U variations prior to fifteen.2.3 ought to improve to Serv-U 15.2.3, apply Serv-U 15.2.3 HF1, after which apply Serv-U 15.2.3 HF2. The firm says clients ought to set up the fixes instantly.
The hotfixes can be found right here. Disabling SSH entry additionally prevents exploitation.
The federal authorities has attributed final yr’s provide chain assault to hackers working for Russia’s Foreign Intelligence Service, abbreviated because the SVR, which for greater than a decade has carried out malware campaigns focusing on governments, political suppose tanks, and different organizations in nations together with Germany, Uzbekistan, South Korea, and the US. Targets have included the US State Department and the White House in 2014.
The hackers used that entry to push a malicious software program replace to about 18,000 clients of SolarWinds’ Orion community administration product. Of these clients, roughly 110 obtained a follow-on assault that put in a later-stage payload that exfiltrated proprietary knowledge. The malware put in within the assault marketing campaign is called Sunburst. Again, SolarWinds stated the exploits underway now haven’t any connection.
Late final yr, zero-day vulnerabilities in SolarWinds’ Orion product got here below exploit by a special set of attackers that researchers have tied to China’s authorities. Those attackers put in malware that researchers name SuperNova. Threat actors linked to China have additionally focused SolarWinds. At least one US authorities company was focused on this operation.