“Trivially exploitable” bug in SolarWinds file server needs prompt fixing

“CVE-2024-28995 is not known to be exploited in the wild as of 9 AM ET on June 11. We expect this to change."

“Trivially exploitable” bug in SolarWinds file server needs prompt fixing

A vulnerability in file share software from SolarWinds is “trivially exploitable and allows an external unauthenticated attacker to read any file on disk, including binary files” says Rapid7, warning that it expects exploitation to follow fast and that nearly 10,000 instances are exposed.

The vulnerability, allocated CVE-2024-28995, was disclosed by Solar Winds on June 5. The directory traversal vulnerability affects the Serv-U file transfer server, which comes in two editions (Serv-U FTP and Serv-U MFT). 

It was disclosed by security researcher Hussein Daher who told The Stack that exploitation was "incredibly easy; unauthenticated; one single request – no chain" and added that the bounty he had been offered for the find was just $3000; less than what the company charges for a single licence.

(Daher said he had seen 300,000 Serv-U instances on Shodan and that with regard to the bounty "SolarWinds said they will try to make it better, but the bounty has not yet be paid.")

(File transfer servers have been widely exploited in the wild in recent years, leading to severe data breaches at thousands of companies that included the loss of sensitive intellectual property and credentials; the MoveIT vulnerability CVE-2023-34362, was alone used to hit more than 2,100 organisations – impacting over 62 million people downstream.)

“CVE-2024-28995 is not known to be exploited in the wild as of 9 AM ET on June 11. We expect this to change,” said security firm Rapid7 – which “recommends installing the vendor-provided hotfix (Serv-U 15.4.2 HF 2) immediately, without waiting for a regular patch cycle to occur.”

In other news, SolarWinds continues to contest a case against the company and its CISO Timothy Brown; both were charged with fraud and internal control failures by the Securities and Exchange Commission (SEC) last year, three years after a devastating supply chain attack on its Orion software by a Russian state-backed threat group that also targeted others.

The US markets watchdog, in a complaint filed on October 30, alleged that the company and its CISO failed to disclose known cybersecurity risks and “specific deficiencies” in SolarWinds’ cybersecurity practices. It updated its complaint in February this year with more allegations. Over 50 CISOs and former CISOs have written in support of efforts to dismiss the case.

SolarWinds defenders say that “the SEC’s theories propose to sanction SolarWinds and Timothy G. Brown based on internal communications aimed at improving cybersecurity, as well as alleged inadequacies in public filings, which CISOs are not typically responsible for drafting or approving. 

“Liability under these theories empowers threat actors, chills internal communications about cyber-threats, exacerbates the already severe shortage of cybersecurity professionals, and deters collaboration between the private sector and the Government” they added in March 2024. 

On May 15, 2024, both sides presented oral arguments before Judge Paul A. Engelmayer in New York on the defendants motion to dismiss.