SonicWALL Inc.
07/03/2024 | Press release | Distributed by Public on 07/03/2024 19:45
High Risk Path Traversal in SolarWinds Serv U
Overview
The SonicWall Capture Labs threat research team became aware of a path traversal vulnerability in SolarWinds Serv-U, assessed its impact and developed mitigation measures. Serv-U server is a solution that provides a secure file transfer facility and control inside and outside the organization. Identified as CVE-2024-28995, SolarWinds Serv-U 15.4.2 HF 1 and previous versions allow an unauthenticated threat actor to access local files remotely, earning a high CVSS score of 8.6. On account of multiple reports of in-the-wild exploitation of the vulnerability, the users are strongly encouraged to upgrade their instances to the latest fixed version SolarWinds Serv-U 15.4.2 HF 2, as mentioned by the vendor in the advisory.
Technical Overview
This vulnerability arises from a flaw in the input validation mechanism while building a local path of a requested file in the BuildLocalPath method. It allows remote threat actors to provide a maliciously crafted InternalDir parameter in the request and traverse any path in the affected system. The Attacker can then provide any file name using InternalFile parameter to access the file.
The diff of the affected function provided by Rapid7 shows that the patch has introduced the check to eliminate the path traversal vector if it is present in the parameter, as seen in Figure 1. This implies that this function is highly likely to be the root cause of the issue.
Figure 1: Checks introduced in the affected function, source: rapid7
Additionally, as seen in Figure 2, the utilization of this affected function shows that it is responsible for processing the crucial inputs, InternalDir and InternalFile, provided by the user. These values are then used to retrieve a file. This means that the reading of an arbitrary file is possible by sending a crafted request.
Figure 2: Affected function processing user inputs, source: rapid7
Exploitation
To trigger and exploit this vulnerability, an attacker must send a request with a crafted value of InternalDir parameter, as seen in Figure 3. The exploitation of this vulnerability yields the remote threat actor an access to sensitive files and information on the server, as demonstrated by accessing win.ini file in the example. This vulnerability has a high impact on data confidentiality and does not require user interaction.
Figure 3: Exploit in action
SonicWall Protections
To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:
- IPS: 4454 SolarWinds Serv-U Path Traversal 2
- IPS: 20138 SolarWinds Serv-U Path Traversal 3
Threat Graph
The SonicWall sensor data shows a significant number of exploit attempts, considering the software's popularity.
Remediation Recommendations
Considering the widespread user base of SolarWinds products and the underlying risk of sensitive data exposure, users are strongly encouraged to upgrade their instances to the latest versions, as mentioned in the vendor advisory.
Relevant Links
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.