Pierluigi Paganini September 03, 2021

SolarWinds did not enable anti-exploit mitigation available since 2006 allowing threat actors to target SolarWinds Serv-U FTP software in July attacks.

Software vendor SolarWinds did not enable ASLR anti-exploit mitigation that was available since the launch of Windows Vista in 2006, allowing the attackers to launch targeted attacks in July.

Microsoft, which investigated the incidents, said the attacks against SolarWinds file transfer servers were carried out by a Chinese hacking group tracked as DEV-0322.

Threat actors exploited a zero-day remote code execution flaw, tracked as CVE-2021-35211, in Serv-U products.

SolarWinds was informed of the zero-day by Microsoft, the issue affects Serv-U Managed File Transfer Server and Serv-U Secured FTP. According to Microsoft, the flaw was exploited in attacks against a limited, targeted set of customers by a single threat actor.

The issue resides in Serv-U version 15.2.3 HF1 and all prior versions, the vendor released Serv-U version 15.2.3 hotfix (HF) 2 to fix the issue. All other SolarWinds and N-able (formerly SolarWinds MSP) are not affected by this issue, including the Orion Platform, and all Orion Platform modules. 

“Microsoft reported to SolarWinds that they had discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product. Microsoft provided a proof of concept of the exploit. If exploited, a threat actor may be able to gain privileged access to the threat actor on the machine hosting Serv-U.” reads the advisory published by SolarWinds. “Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability.”

The experts pointed out that this issue is not linked to the SolarWinds supply chain attack.

Later Microsoft provided further details about the attacks and the attack chain used by the threat actors.

The researchers refer to the threat actor as a DEV, which means that it is classified as a “development group,” and assign each DEV group a unique number (DEV-####) for tracking purposes. Microsoft has observed DEV-0322 targeting entities in the U.S. Defense Industrial Base Sector and software companies. According to the experts, the APT group is based in China and employed commercial VPN solutions and compromised consumer routers in their attacker infrastructure. Microsoft first spotted the DEV-0322 attacks by analyzing the Microsoft 365 Defender telemetry during a routine investigation. 

“MSTIC discovered the 0-day attack behavior in Microsoft 365 Defender telemetry during a routine investigation. An anomalous malicious process was found to be spawning from the Serv-U process, suggesting that it had been compromised.” reads the post published by Microsoft.

Now Microsoft published a post mortem analysis of the attacks that revealed that SolarWinds developers failed to enable Address Space Layout Randomization (ASLR) compatibility in some modules. Microsoft researchers discovered that the threat actors likely used DLL libraries compiled without ASLR loaded by the Serv-U process to facilitate exploitation.

“Enabling ASLR is a simple compile-time flag which is enabled by default and has been available since Windows Vista. ASLR is a critical security mitigation for services which are exposed to untrusted remote inputs, and requires that all binaries in the process are compatible in order to be effective at preventing attackers from using hardcoded addresses in their exploits, as was possible in Serv-U.” reads the post mortem published by Microsoft. “We recommended enabling ASLR compatibility for all binaries loaded in the Serv-U process”

Microsoft published technical details of the vulnerability in Serv-U’s implementation of SSH and demonstrated that the Serv-U SSH server is affected by a pre-auth remote code execution vulnerability that can be easily exploited in the default configuration,

“We concluded that the exploited vulnerability was caused by the way Serv-U initially created an OpenSSL AES128-CTR context. This, in turn, could allow the use of uninitialized data as a function pointer during the decryption of successive SSH messages. Therefore, an attacker could exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request.” concludes Microsoft.

SolarWinds has already patched the vulnerability,

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)

[adrotate banner=”5″]

[adrotate banner=”13″]