Microsoft has released technical information concerning a now-patched, actively exploited serious security vulnerability affecting SolarWinds Serv-U managed file transfer service, which it has “high confidence” linked to a threat actor operating out of China.
The Texas-based company patched a remote code execution flaw (CVE-2021-35211) that was rooted in Serv-U’s implementation of the Secure Shell (SSH) protocol, which could allow attackers to run arbitrary code on the infected system, including the ability to install malicious programs and view, change, or delete sensitive data.
Microsoft Offensive Research and Security Engineering team said in a detailed write-up describing the exploit, “The Serv-U SSH server is subject to a pre-auth remote code execution vulnerability that can be easily and reliably exploited in the default configuration,”
The researchers added “An attacker can exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. When successfully exploited, the vulnerability could then allow the attacker to install or run programs, such as in the case of the targeted attack we previously reported,”
While Microsoft linked the attacks to DEV-0322, a China-based group, citing “observed victimology, tactics, and procedures,” the company has now revealed that the remote, pre-auth vulnerability was caused by the way the Serv-U process handled access violations without terminating the process, making stealthy, reliable exploitation attempts easy.
The researchers said “The exploited vulnerability was caused by the way Serv-U initially created an OpenSSL AES128-CTR context,”
“This, in turn, could allow the use of uninitialized data as a function pointer during the decryption of successive SSH messages.”
The researchers added “Therefore, an attacker could exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. We also discovered that the attackers were likely using DLLs compiled without address space layout randomization (ASLR) loaded by the Serv-U process to facilitate exploitation,”
ASLR is a security feature that makes it more difficult to launch a buffer overflow attack by randomly rearranging the address space positions where system executables are loaded into the memory.
According to Microsoft, which disclosed the attack to SolarWinds, it suggested ensuring ASLR compatibility for all binaries loaded in the Serv-U process.
The researchers said “ASLR is a critical security mitigation for services which are exposed to untrusted remote inputs, and requires that all binaries in the process are compatible in order to be effective at preventing attackers from using hardcoded addresses in their exploits, as was possible in Serv-U,”
According to the reports, threat actors use a number of strategies and tools to breach corporate networks, including piggybacking on legal software.