Directory Traversal Vulnerability in SolarWinds Serv-U

Instantly calculate the time you can save by automating compliance

Whether you’re starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.

Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.

Instantly calculate how much time you can save with Vanta.

[Calculate now]

Directory Traversal Vulnerability in SolarWinds Serv-U

Overview

CVE-2024-28995 is a critical directory traversal vulnerability in SolarWinds Serv-U, affecting versions 15.4 and earlier across multiple platforms including Windows and Linux. This vulnerability enables unauthenticated attackers to read arbitrary files on the system, potentially leading to sensitive data exposure. SolarWinds has released a hotfix (15.4.2 Hotfix 2) to mitigate this issue, and immediate updates are recommended.

Affected Versions

• Serv-U FTP Server 15.4

• Serv-U Gateway 15.4

• Serv-U MFT Server 15.4

• Serv-U File Server 15.4

Technical Details

The vulnerability stems from insufficient validation of user input in the file transfer functionality of Serv-U. Specifically, the parameters InternalDir and InternalFile are retrieved and passed to a vulnerable function without proper sanitization, allowing directory traversal attacks.

Proven Cybersecurity CV Template

To help with your job applications, I am giving away my own CV in template form. This template has helped me get a Cybersecurity internship, a grade role, a promotion to Sr Analyst and a Sr Cybersecurity Engineering role. To get the free CV template, all you need to do is subscribe to our newsletter. If you’ve already subscribed, please just fill out the poll below. I hope it serves you as well as it has served me. Godspeed.

If you want to start your own newsletter and want to start earning straight away, please feel free to use my affiliate link here.

Proof of Concept (PoC)

The vulnerability can be exploited by crafting an HTTP request that includes manipulated file paths, using traversal sequences to access files outside the intended directories.

1. Identifying the Vulnerable Endpoint: In almost all uses of the vulnerable function, the InternalDir and InternalFile parameters are passed to it.

2. Crafting the Malicious Request: By manipulating these parameters, an attacker can construct a path that includes traversal sequences to access arbitrary files.

Example curl command to test the vulnerability:

3. Demonstrating File Access: Using Procmon, file system access is captured showing the traversal in action.

Example command to read Serv-U-StartupLog.txt:

Output:

Tactics, Techniques, and Procedures (TTPs)

• Initial Access: Exploiting CVE-2024-28995 to gain unauthorized file access.

• Execution: Sending crafted HTTP requests to the vulnerable endpoint.

• Credential Access: Accessing files containing credentials or other sensitive information.

• Discovery: Reading configuration and log files to understand system details.

• Collection: Exfiltrating sensitive data from the compromised system.

YARA Rule for Detection

A YARA rule can help detect attempts to exploit this vulnerability by looking for common directory traversal patterns.

Mitigation

Apply the hotfix provided by SolarWinds immediately to mitigate the vulnerability. Additionally, monitor network traffic for unusual patterns, implement strict input validation, and use intrusion detection systems to detect and prevent exploitation attempts.

Get smarter about crypto with MilkRoad’s 5 minute daily newsletter, read by 290,000+ people. Subscribe for free!