Latest SolarWinds vulnerability #
Microsoft recently notified SolarWinds that they had discovered a remote code execution vulnerability in Serv-U Managed File Transfer and Serv-U Secure FTP. The vulnerability being exploited is CVE-2021-35211 and only exists when SSH is enabled in Serv-U environments.
SolarWinds has issued a hotfix and recommends customers log into their customer portals to access these updates. You will need to install these updates immediately.
Finding SolarWinds Serv-U systems with Rumble #
With Rumble you can find Serv-U servers with SSH enabled in your inventory with this pre-built query. This query identifies SSH services that use the insecure Serv-U key or the Serv-U banner.
_asset.protocol:ssh AND protocol:"ssh" AND (banner:"SSH-2.0-Serv-U" OR ssh.hostKey.md5:"=e4:dd:11:2e:82:34:ab:62:59:1c:c8:62:1d:4b:48:99")
As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.