CVE-2024-28995 – SolarWinds Serv-U Path Traversal
Celia Catalán
Continuing with the saga of the CVEs of this 2024, today we have CVE-2024-28995.
The SolarWinds IT management platform reported a vulnerability in its SolarWinds Serv-U file server on June 5. The vulnerability consists of a path-traversal issue that allows an unauthenticated attacker to obtain any file from the file system on the host machine.
The affected versions are:
- SolarWinds Serv-U 15.4.2 and earlier
There are currently proofs of concept aimed at discovering potential vulnerability in systems with a selected IP.
The vulnerability
The vulnerability can be exploited by a very simple GET request to the root “/”, with the search arguments “InternalDir” and “InternalFile”.
An example of this could be:
In these payloads, the slashes “\” are used for Linux and the slashes “/” for Windows, since it turns out that in Serv-U they only filter the slashes appropriate for the platform (“/” in Linux and “\” in Windows ), and then fixes them. Therefore, if the bars are submitted incorrectly, the request passes the filter and is then “fixed,” resulting in a time-of-check-time-of-use (TOCTOU) problem.
Conclusion
On June 17, the United States Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability along with others to its catalog of Known Exploited Vulnerabilities (KEV).
This vulnerability has been rated with a CVSS score of 8.6 and CVE-2024-28995. As for its remediation, SolarWinds quickly released its Serv-U 15.4.2 Hostfix 2 patch and it is recommended that everyone using this platform update to this patch as soon as possible if they have not done so already.
And that's it for this CVE, see you when more C's, more V's and more E's come out. Until next time.
Javier Muñoz, Cybersecurity Analyst at Zerolynx
