SolarWinds, the company at the center of a supply chain attack that compromised nine US agencies and 100 private companies, is scrambling to contain a new security threat: a critical zero-day vulnerability in its Serv-U product line.
Microsoft discovered the exploits and privately reported them to SolarWinds, the latter company said in an advisory published on Friday. SolarWinds said the attacks are completely unrelated to the supply chain attack discovered in December.
“Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability,” company officials wrote. “SolarWinds is unaware of the identity of the potentially affected customers.”
Only SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP—and by extension the Serv-U Gateway, which is a component of those two products—are affected by this vulnerability, which allows attackers to remotely execute malicious code on vulnerable systems.
If exploited, an attacker can gain privileged access to machines hosting Serv-U products. An attacker could then install programs; view, change, or delete data; or run programs on the affected system. The vulnerability exists in the latest Serv-U version 15.2.3 HF1, released on May 5, and all prior versions.
SolarWinds has issued a hotfix to mitigate the attacks while the company works on a permanent solution. People running Serv-U version 15.2.3 HF1 should apply hotfix (HF) 2; those using Serv-U 15.2.3 should apply Serv-U 15.2.3 HF1, then apply Serv-U 15.2.3 HF2; and those running Serv-U versions prior to 15.2.3 should upgrade to Serv-U 15.2.3, then apply Serv-U 15.2.3 HF1, then apply Serv-U 15.2.3 HF2. The company recommends customers install the fixes immediately.
The hotfixes are available here. Disabling SSH access also prevents exploitation.
The federal government has attributed last year’s supply chain attack to hackers working for Russia’s FSB, the successor to the KGB, which has carried out espionage-focused hacking for decades. That campaign exploited vulnerabilities in the SolarWinds network to take control of the Austin, Texas-based company’s software build system.
The hackers used that access to push a malicious software update to about 18,000 customers of SolarWinds’ Orion network management product. Of those customers, roughly 110 received a follow-on attack that installed a later-stage payload that exfiltrated proprietary data. The malware installed in the attack campaign is known as Sunburst. Again, SolarWinds said the exploits underway now have no connection.
Late last year, zero-day vulnerabilities in SolarWinds’ Orion product came under exploit by a different set of attackers that researchers have tied to China’s government. Those attackers installed malware that researchers call SuperNova. Threat actors linked to China have also targeted SolarWinds. At least one US government agency was targeted in this operation.