# SolarWinds Trust Center Security Advisories **[solarwinds.com/trust-center/security-advisories/cve-2021-35211](https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211)** **SolarWinds uses cookies on its websites to make your online experience easier and** **better. By using our website, you consent to our use of cookies. For more information** **on cookies, see our** **[Cookie Policy.](https://www.solarwinds.com/legal/privacy)** Continue **Serv-U Remote Memory Escape Vulnerability** **CVE-2021-35211** Security Vulnerability **Released: July 9, 2021 Last updated: July 15, 2021** **Assigning CNA: SolarWinds** **Security Advisory Summary** **UPDATE July 15, 20201: You can** **[Subscribe to this RSS Feed to be notified when we](https://www.solarwinds.com/shared-content/rss-feed/solarwinds-cve-rss-feed)** **update this page (note: you will need to cut and paste the "Subscribe to this RSS** **feed" URL into an RSS Feed Reader, e.g., Outlook's RSS Subscriptions, to monitor** **updates).** **UPDATE July 13, 20201: We've provided additional indicators of compromise (IOCs)** **below. You can also find additional details on the threat actor and their findings in a** **[blog post from Microsoft.](https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/)** **UPDATE July 10, 2021: NOTE: This security vulnerability only affects Serv-U Managed** **File Transfer and Serv-U Secure FTP and does not affect any other SolarWinds or N-** **able (formerly SolarWinds MSP) products.** SolarWinds was recently notified by Microsoft of a security vulnerability related to Serv-U Managed File Transfer Server and [Serv-U Secured FTP and have developed a hotfix to](https://www.solarwinds.com/ftp-server-software) resolve this vulnerability. While Microsoft’s research indicates this vulnerability exploit involves a limited, targeted set of customers and a single threat actor, our joint teams have mobilized to address it quickly. ----- The vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. A threat actor who successfully exploited this vulnerability could run arbitrary code with privileges. An attacker could then install programs; view, change, or delete data; or run programs on the affected system. Serv-U version 15.2.3 hotfix (HF) 2 has been released. Please see the Security Updates table below for the applicable update for your system. We recommend you install these updates immediately. If you are unable to install these updates, see the FAQ in this Security Advisory for information on how to help protect your system from this vulnerability. Additional details of the vulnerability will be published after giving customers sufficient time to upgrade for the protection of their environments. **Affected Products** Serv-U 15.2.3 HF1 and all prior Serv-U versions **Fixed Software Release** [Serv-U 15.2.3 HF2](https://customerportal.solarwinds.com/) **Security Updates** **Software Version** **Upgrade Paths** Serv-U 15.2.3 HF1 Apply Serv-U 15.2.3 HF2, available in your Customer Portal Serv-U 15.2.3 Apply Serv-U 15.2.3 HF1, then apply Serv-U 15.2.3 HF2, available in your Customer Portal All Serv-U versions prior to 15.2.3 Upgrade to Serv-U 15.2.3, then apply Serv-U 15.2.3 HF1, then apply Serv-U 15.2.3 HF2, available in your Customer Portal FAQ **What happened?** ----- Microsoft reported to SolarWinds that they had discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product. Microsoft provided a proof of concept of the exploit. If exploited, a threat actor may be able to gain privileged access to the threat actor on the machine hosting Serv-U. To the best of our understanding, no other SolarWinds products have been affected by this vulnerability. **Have SolarWinds customers been affected?** Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability. SolarWinds is unaware of the identity of the potentially affected customers. **Have N-able customers been affected?** No, N-able customer who do not use Serv-U are not affected by this vulnerability. _Updated July 13, 2021_ **What products are affected?** **Only SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows are** affected by this vulnerability. Please note the Serv-U Gateway is a component of these two products and is not a separate product. The Linux versions of these products are not vulnerable to a RCE exploit of this security vulnerability. The Linux version of the Serv-U product crashes when the exploit is attempted by a threat actor. _Updated July 15, 2021_ **What products are not affected?** All other SolarWinds and N-able (formerly SolarWinds MSP) are not affected by this vulnerability. This includes the Orion Platform, and all Orion Platform modules. A complete list of products not known to be affected by this security vulnerability follows: **SolarWinds product NOT AFFECTED by this security vulnerability:** 8Man Network Operations Manager (NOM) Access Rights Manager (ARM) Network Performance Monitor (NPM) ----- Application Centric Monitor (ACM) Network Topology Mapper (NTM) AppOptics Papertrail Backup Document Patch Manager Backup Profiler Pingdom Backup Server Pingdom Server Monitor Backup Workstation Server & Application Monitor (SAM) CatTools Server Configuration Monitor (SCM) Dameware Mini Remote Control Security Event Manager (SEM) Dameware Patch Manager Security Event Manager Workstation Edition Dameware Remote Everywhere Service Desk Dameware Remote Manager Server Profiler Database Performance Analyzer (DPA) Storage Manager Database Performance Analyzer Integration Module*(DPAIM*) Storage Profiler Database Performance Monitor (DPM) Storage Resource Monitor (SRM) DNSstuff Threat Monitor Engineer’s Toolset Virtualization Manager (VMAN) Engineer's Web Toolset Virtualization Profiler Enterprise Operations Console (EOC) VoIP & Network Quality Manager (VNQM) ----- FailOverEngine Web Help Desk Firewall Security Monitor Web Performance Monitor (WPM) High Availability (HA) SQL Sentry Identity Monitor DB Sentry IP Address Manager (IPAM) V Sentry ipMonitor Win Sentry KiwiCatTools BI Sentry Kiwi Log Viewer SentryOneDocument Kiwi Syslog Server SentryOneTest LANSurveyor Task Factory Librato DBAxPress Log Analyzer (LA) Plan Explorer Log & Event Manager (LEM) APS Sentry Log&Event Manager Workstation Edition DW Sentry Loggly SQL Sentry Essentials Mobile Admin SentryOneMonitor NetFlow Traffic Analyzer (NTA) BIxPress Network Automation Manager (NAM) ----- Network Configuration Manager (NCM) ***NOTE: Please note DPAIM is an integration module and is not the same as Database** Performance Analyzer (DPA). We have also found no evidence that any of our free tools, (TFTP/SCP), Orion agents, or Web Performance Monitor (PM) Players are impacted by this security vulnerability. **N-able (formerly SolarWinds MSP) products NOT AFFECTED by this security** **vulnerability:** N-central – Probe Mail Assure N-central – Topology SpamExperts N-central –NetPath MSP Manager N-central PassPortal NetPath– Server Take Control RMM Patch Backup Disaster Recovery Automation Manager M365 Backup Webprotection Backup **How is SolarWinds addressing this?** SolarWinds released a hotfix Friday, July 9, 2021, and we recommend all customers using **Serv-U install this fix immediately for the protection of your environment.** _Updated July 10, 2021_ **What actions should I take?** ----- If you are an active maintenance SolarWinds customer of the Serv-U product, [SolarWinds asks you to log into your Customer Portal to access your updates. This update](https://customerportal.solarwinds.com/) is expected to take only a few minutes to implement. If you are not on active maintenance and currently using a Serv-U product, our Customer Success team is available to help you with your questions. Please open a [customer service ticket with the subject "Serv-U Assistance" and our team will assist you](https://customerportal.solarwinds.com/support/submit-a-ticket?sid=satsn) (no login required). _Updated July 13, 2021_ **How can I tell if my environment has been compromised?** The following steps are steps you can take to determine if your environment has been compromised: 1. Is SSH enabled for your Serv-U installation? If SSH is not enabled in the environment, the vulnerability does not exist. 2. Is your environment throwing exceptions? This attack is a Return Oriented Programming (ROP) attack. When exploited, the vulnerability causes the Serv-U product to throw an exception and then intercepts the exception handling code to run commands. Please note, several reasons exist for exceptions to be thrown, so an exception itself is not necessarily an indicator of attack. Please collect the DebugSocketlog.txt log file, which can be found in the following locations: C:\ProgramData\RhinoSoft\Serv-U\DebugSocketlog.txt C:\ProgramFiles\RhinoSoft\Serv-U\DebugSocketlog.txt In the log file DebugSocketlog.txt you may see an exception, such as: 07] Tue 01Jun21 02:42:58 - EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive(); Type: 30; puchPayLoad = 0x041ec066; nPacketLength = 76; nBytesReceived = 80; nBytesUncompressed = 156; uchPaddingLength = 5 Exceptions may be thrown for other reasons so please collect the logs to assist with determining your situation. 3. Are you seeing potentially suspicious connections via SSH? Look for connections via SSH from the following IP addresses, which have been reported as a potential indicator of attack by the threat actor: **98[.]176[.]196[.]89** **68[.]235[.]178[.]32** **208[.]113[.]35[.]58** ----- **144[.]34[.]179[.]162** **97[.]77[.]97[.]58** Other indicators: **hxxp://144[.]34[.]179[.]162/a** **C:\Windows\Temp\Serv-u.bat** **C:\Windows\Temp\test\current.dmp** 4. Are you seeing potentially suspicious activity by Serv-U? Review your monitoring tools and/or EDR platforms for Serv-U.exe spawning anomalous processes, such as: _mshta.exe_ _powershell.exe_ _cmd.exe (or conhost.exe then spawning cmd.exe) with any of the following in the_ command line: _whoami_ _dir_ _./Client/Common_ _.\Client\Common_ _type [a file path] > "C:\ProgramData\RhinoSoft\Serv-U\Users\Global Users\[file_ _name].Archive"_ Any process with the following in the command line: _C:\Windows\Temp\_ The addition of any unrecognized Global users to Serv-U. This can be checked in the users tab of the Serv-U Management Console, as shown below. It can also be checked by looking for recently created files in C:\ProgramData\RhinoSoft\Serv_U\Users\Global Users, which appears to store the Global users information._ If you observe this activity, investigate these processes further, and any traffic originating from the Serv-U box. Please contact SolarWinds Customer Support with this information, and we will escalate for investigation. **Is this vulnerability related to the SUNBURST cyberattack?** ----- No. It s important to note this new vulnerability is completely unrelated to the SUNBURST supply chain attack. Software vulnerabilities are quite common, range in severity levels, and are routinely resolved by software vendors as part of their ongoing maintenance release schedules. **What kind of vulnerability is this?** Based on our investigations, this is a remote code execution (RCE) exploit. **What versions of Serv-U are affected?** Based on our investigations, this RCE exploit affects all versions of Serv-U, prior to version 15.2.3 HF2, which has been built to address this vulnerability, and to help protect your environment. _Updated July 13, 2021_ **Where can I get additional information?** We understand the desire for more information on this issue, and we’ll provide more information here as it’s available. In the meantime, our Customer Success team is available to you. Please open a customer service ticket with the subject "Serv-U Assistance" and our team will assist you (no login required). **Acknowledgements** SolarWinds would like to thank the Security Researcher below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability. **Microsoft Threat Intelligence Center (MSTIC) and Microsoft Offensive Security** **Research teams** **Disclaimer** Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment. You elect to use third-party content at your own risk, and you will be solely responsible for the incorporation of the same if any. ----- **Revisions** **Version** **Revision** **Date** 1.4 July 15, 2021 1.3 July 13, 2021 1.2 July 10, 2021 1.1 July 10, 2021 1.0 July 9, 2021 **Description** Updated FAQ information. Added RSS feed instructions. These are informational changes only. Updated FAQ information. This is an informational change only. Updated FAQ information. This is an informational change only. Notice added, updated FAQ information. This an informational change only. Information Published We’re Geekbuilt. ® Developed by network and systems engineers who know what it takes to manage today's dynamic IT environments, SolarWinds has a deep connection to the IT community. The result? IT management products that are effective, accessible, and easy to use. -----