SolarWinds Serv-U contains a high-severity path traversal vulnerability (CVE-2024-28995) that lets unauthenticated attackers read local files remotely. SonicWall urges upgrading to SolarWinds Serv-U 15.4.2 HF 2 to mitigate exploitation, prompted by multiple in-the-wild reports. #CVE-2024-28995 #SolarWindsServU #PathTraversal
Keypoints
- Vulnerability: CVE-2024-28995 in SolarWinds Serv-U enables unauthenticated remote file access via a flawed path-building routine.
- Affected versions: 15.4.2 HF 1 and earlier; high impact with CVSS score 8.6.
- Root cause: input validation flaw in the BuildLocalPath method using InternalDir and InternalFile to determine which file to read.
- Exploitation: attacker crafts InternalDir to traverse directories and uses InternalFile to specify the target file; reading arbitrary files is possible (e.g., win.ini) without user interaction.
- Remediation: upgrade to SolarWinds Serv-U 15.4.2 HF 2 per the vendor advisory.
- Defensive measures: SonicWall released IPS signatures 4454 and 20138 to detect/mitigate attempts.
- Observations: threat activity is notable with a threat graph showing many exploit attempts and Rapid7βs analysis supporting the root cause and patch.
MITRE Techniques
- [T1005] Data from Local System β The attacker can read arbitrary files on the server by crafting InternalDir/InternalFile in requests; βTo trigger and exploit this vulnerability, an attacker must send a request with a crafted value of InternalDir parameterβ and βThe reading of an arbitrary file is possible by sending a crafted request.β
Indicators of Compromise
- [File] win.ini β Demonstrated as an example of a read operation on the server during exploitation.
Read more: https://blog.sonicwall.com/en-us/2024/07/high-risk-path-traversal-in-solarwinds-serv-u/