Users of SolarWind's Serv-U file transfer suite urged to install hotfix faster

IT administrators with systems using SolarWinds' Serv-U Managed File Transfer and Serv-U Secure FTP are being urged to install a hotfix to fix a serious vulnerability.

In a security advisory issued over the weekend, the company said the bug could allow an attacker with privileges to run arbitrary code, install malicious programs, and view, alter or delete data.

Administrators who cannot install these updates should refer to the SolarWinds FAQ for information on how to help protect their systems from this vulnerability.

The vulnerability was discovered by Microsoft, which said it found evidence of "limited, targeted customer impact." It also provided a proof of concept of exploitation.

SolarWinds said it does not currently estimate how many customers could be directly affected by the vulnerability. The company said the vulnerability in these two applications does not affect other SolarWind products.

It follows the discovery of vulnerabilities in the FTA application of a similar file transfer utility, Excellion, late last year. These vulnerabilities have given rise to a number of high-profile data thefts that are revealed by organizations that were either hit before the patch was released or were not patched fast enough.

The latest disclosure is a company providing contact management services to clients of US investment bank Morgan Stanley.

SolarWinds' Serv-U Managed File Transfer is file transfer protocol server software that provides centralized file transfer management and automation over IPv4 and IPv6 networks using FTP, FTPS, SFTP and HTTP/S. Serv-U File Transfer Protocol Server is for those who need file transfer using only FTP and FTPS.

Active maintenance of the Serv-U product SolarWinds customers should log in to their customer portal to access their updates. This update is expected to take only a few minutes to be implemented.

For those who are not on active maintenance and are currently using an Serv-U product, SolarWinds' customer success team will answer questions. Employees should open a customer service ticket with the subject "All-You Support."

One sign of compromise is a potentially suspicious SSH connection from three IP addresses. SolarWinds stated that if SSH is not enabled in an organization's environment, the vulnerability does not exist.

"This attack is a Return Oriented Programming (ROP) attack," it said. "When exploited, the vulnerability causes the Serv-U product to throw an exception and then prevents the exception handling code from running the command. Please note, many reasons exist for exceptions to be thrown, so the exception itself There is no indication of an attack."

The company emphasized that the vulnerability is not related to the infamous Sunburst supply chain attack, although an attacker was able to compromise the update mechanism for the Orion IT management platform.