WARNING: SOLARWINDS HAS RELEASED A HOTFIX FOR CVE-2024-28995, A HIGH SEVERITY DIRECTORY TRANSVERSAL VULNERABILITY IN ALL OF THEIR SERV-U PRODUCTS, PATCH IMMEDIATELY!
CVE-2024-28995
CVSS 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
Sources
- https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28995
- https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-4-2-Hot...
Risks
Successful exploitation of this directory traversal vulnerability in SolarWinds Serv-U software, could allow attackers to access files on the machine where the SolarWinds Serv-U software is running on. All SolarWinds Serv-U instances which are not running 15.4.2 Hotfix 2 are vulnerable for CVE-2024-28995.
The vulnerability is scored with a score of 8.6. Since this vulnerability only allows attackers to download files from the target system and doesn’t enable them to make any changes to those files only confidentiality is impacted. The scope of this vulnerability is changed, which means that exploiting this vulnerability could allow attackers to access sensitive files on the host machine.
Update 13/06/2024: A proof of concept is available. The Centre for Cybersecurity Belgium assesses exploitation is likely to take place in the future.
Description
SolarWinds did not disclose details about this directory transversal vulnerability. All SolarWinds Serv-U products which are not running 15.4.2 Hotfix 2 are vulnerable. The impacted operating systems by CVE-2024-28995 are both Windows and Linux.
Path transversal vulnerabilities are known to have a low complexity to exploit, which is also the case for CVE-2024-28995. Combined with the changed scope of this vulnerability, which allows attackers to access sensitive files on the host machine, it is critical to update your SolarWinds Serv-U instance to v15.4.2 Hotfix 2 as soon as possible to avoid any disclosure of sensitive files on the host machine.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Be aware that your Serv-U appliance needs to be running v15.4.2 Hotfix 1 in order to install v15.4.2 Hotfix 2, which patches CVE-2024-28995.
Detailed installation instruction are provided by SolarWinds and can be found here: https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-4-2-Hotfix-2-Release-Notes
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.