CVE-2021-35211: 
Serv-U Managed File Transfer Server vulnerability analysis and mitigation

Microsoft discovered a remote code execution (RCE) vulnerability (CVE-2021-35211) in the SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows products. The vulnerability was found in version 15.2.3 HF1 (released May 5, 2021) and all prior versions, affecting the SSH protocol implementation. The flaw was actively exploited in targeted attacks and was disclosed on July 9, 2021 (SolarWinds Advisory, Microsoft Blog).

The vulnerability is a memory escape flaw in the way Serv-U implemented the Secure Shell (SSH) protocol. The issue stems from how Serv-U initially created an OpenSSL AES128-CTR context, which could allow the use of uninitialized data as a function pointer during SSH message decryption. The vulnerability can only be exploited if SSH is enabled and externally accessible. It received a CVSS v3.1 base score of 9.0 CRITICAL from SolarWinds and 10.0 CRITICAL from NVD (NVD, Tenable Blog).

If successfully exploited, an attacker could run arbitrary code with privileges on the affected system. This includes the ability to install malicious programs, view, change, or delete sensitive data, and execute commands with system privileges. The vulnerability only affects the machine hosting Serv-U and does not impact other parts of the customer's network (SolarWinds Advisory).

SolarWinds released Serv-U version 15.2.3 HF2 to address the vulnerability. The upgrade path depends on the current version: users on 15.2.3 HF1 should apply HF2 directly; those on 15.2.3 should apply HF1 first, then HF2; users on versions below 15.2.3 need to upgrade to 15.2.3, then apply both hotfixes in sequence. If immediate patching is not possible, disabling SSH can serve as a temporary mitigation (SolarWinds Advisory).

Microsoft's disclosure of the vulnerability highlighted the continued targeting of SolarWinds products by state-sponsored threat actors, though this incident was unrelated to the previous SUNBURST supply chain attack. The cybersecurity community emphasized the critical nature of the vulnerability, particularly given its active exploitation and the large number of exposed systems (Hacker News).