Chinese Link in Serv-U SSH Breach

Microsoft has shared technical details about a now-fixed, actively exploited critical security vulnerability affecting SolarWinds Serv-U managed file transfer service that it has attributed with “high confidence” to a threat actor operating out of China.

A RCE flaw (CVE-2021-35211) that was rooted in Serv-U’s implementation of the Secure Shell (SSH) protocol, which could be abused by attackers to run arbitrary code on the infected system, including the ability to install malicious programs and view, change, or delete sensitive data.

An attacker can exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. When successfully exploited, the vulnerability could then allow the attacker to install or run programs, such as in the case of the targeted attack we previously reported.

The exploited vulnerability was caused by the way Serv-U initially created an OpenSSL AES128-CTR context. This,could allow the use of uninitialized data as a function pointer during the decryption of successive SSH messages. An attacker could exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. The attackers were likely using DLLs compiled without address space layout randomization (ASLR) loaded by the Serv-U process to facilitate exploitation.

ASLR refers to a protection mechanism that’s used to increase the difficulty of performing a buffer overflow attack by randomly arranging the address space positions where system executables are loaded into memory. Microsoft recommended to enable ASLR in all possible cases.