GreyNoise Warns of Active Exploitation Attempts Targeting SolarWinds Serv-U Vulnerability (CVE-2024-28995)

On June 5, 2024, SolarWinds issued a critical advisory regarding a newly discovered path-traversal vulnerability in Serv-U, identified as CVE-2024-28995. The vulnerability, found by Hussein Daher, affects SolarWinds Serv-U versions 15.4.2 HF 1 and earlier. Versions 15.4.2 HF 2 and later have been patched to mitigate the issue.

CVE-2024-28995 is a path-traversal vulnerability that allows unauthenticated attackers to retrieve arbitrary files from the filesystem. The exploit can be executed via a simple GET request to the root directory (/) with the parameters InternalDir and InternalFile specifying the target folder and file, respectively. The vulnerability arises from inadequate validation of path traversal segments (../), permitting attackers to bypass security checks.

GreyNoise Intelligence deployed an advanced honeypot to gather data on exploit attempts. The honeypot closely mimics the vulnerable Serv-U application and responds as a genuine system would. Within days, GreyNoise captured several exploit attempts, including hands-on-keyboard activity.

Exploit attempts observed by GreyNoise include:

• Windows

  GET /?InternalDir=/../../../../windows&InternalFile=win.ini HTTP/1.1
  Host: [IP]
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
  Accept: */*
  Accept-Encoding: gzip, deflate
  Connection: keep-alive
  Connection: close
• Linux

  GET /?InternalDir=\..\..\..\..\etc&InternalFile=passwd HTTP/1.1
  Host: [IP]
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
  Accept-Encoding: gzip, deflate
  Accept: */*
  Connection: keep-alive

Interestingly, Serv-U’s path-traversal filter checks only the appropriate slashes for the platform (/ for Linux and \ for Windows). This oversight allows exploits using incorrect slashes to bypass the filter and be “fixed” later, leading to successful exploitation.

GreyNoise’s honeypots revealed various payloads targeting critical files like /etc/passwd and Serv-U startup logs. The data showed a mix of common and customized payloads, indicating different levels of sophistication among attackers.

Notable Observations

1. Payload Copy-Paste Errors:
   One attacker used a payload with an incorrect caret (^) character, suggesting they copied the payload without understanding it. This mistake was observed from an IP address in China.
2. Hands-on-Keyboard Activity:
   A more intriguing find was an attack from a Chinese IP that included a non-English UTF-8 character (%E3%80%81) in the request, indicating manual input. This attacker made multiple attempts over four hours, further suggesting hands-on involvement rather than automated scanning.

SolarWinds advises all users to update to Serv-U version 15.4.2 HF 2 or later to mitigate the vulnerability.