Last updated at Mon, 17 Jun 2024 20:25:52 GMT
On June 5, 2024, SolarWinds 披露 cve - 2024 - 28995, a high-severity directory traversal vulnerability affecting their Serv-U file transfer server, 这是进来的 两个版本 (Serv-U FTP 和 Serv-U MFT). 成功ful exploitation of the vulnerability allows unauthenticated attackers to read sensitive files on the target server. Rapid7’s vulnerability research team has reproduced the vulnerability 和 confirmed that it’s trivially exploitable 和 allows an external unauthenticated attacker to read any file on disk, 包括二进制文件, so long as they know the path 和 the file is not locked (i.e., opened exclusively by something else).
cve - 2024 - 28995 is not known to be exploited in the wild as of 9 AM ET on June 11. We expect this to change; Rapid7 recommends installing the vendor-provided hotfix (Serv-U 15.4.2 HF 2) immediately, without waiting for a regular patch cycle to occur.
High-severity information disclosure issues like cve - 2024 - 28995 can be used in smash-和-grab attacks where adversaries gain access to 和 attempt to quickly exfiltrate data from file transfer solutions with the goal of extorting victims. File transfer products have been targeted by a wide range of adversaries the past several years, 包括勒索软件组织.
Internet exposure estimates for SolarWinds Serv-U vary substantially based on the query used — e.g., 9,470 Serv-U instances by one count vs. 5,434 using a different query. (Note that exposed does not automatically mean vulnerable, however.)
缓解指导
SolarWinds servu - 15.4.2 HF 1 和 previous versions are vulnerable to cve - 2024 - 28995, per the 供应商咨询. The vulnerability is fixed in SolarWinds servu - 15.4.2 HF 2. SolarWinds Serv-U customers should 应用 the vendor-provided hotfix immediately.
Rapid7客户
InsightVM 和 Nexpose customers can assess their exposure to cve - 2024 - 28995 with an unauthenticated vulnerability check available as of the Monday, 6月10日内容发布.
InsightIDR 和 Managed 检测和响应 customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes 和 proper detection coverage. Below is a non-exhaustive list of detections that are deployed 和 may alert on post-exploitation behavior related to this vulnerability:
- Suspicious Web Server Request - 成功ful Path Traversal Attack
