Solarwinds: Gaps in platform and Serv-U enable malicious code smuggling
Solarwinds warns of security vulnerabilities in the platform and in Serv-U. Attackers can infiltrate code or extend their rights, for example.
Security gaps jeopardize network security.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Solarwinds is providing updated software for the self-hosted platform and the Serv-U-FTP server. The updates patch vulnerabilities, some of which are classified as critical and allow attackers to inject and execute malicious code, among other things.
The update to Solarwinds Platform 2024.4 fixes two security vulnerabilities in the core software and six in supplied third-party components. According to the release notes for the new version, an "uncontrolled search path element" allows attackers to escalate local privileges (CVE-2024-45710, CVSS 7.8, risk"high"). In addition, malicious actors can inject malicious scripts when editing elements through a cross-site scripting vulnerability (CVE-2024-45715, CVSS 7.1, high).
Solarwinds: Third-party software with critical vulnerabilities
There are also security gaps in several third-party components. Lodash.js, for example, contains a vulnerability classified as critical (CVE-2019-10744, CVSS 9.1), Moment.js contains a high-risk vulnerability (CVE-2022-31129, CVSS 7.5) and Python Tudoor also contains a vulnerability classified as high risk (CVE-2023-29483, CVSS 7.0). There are also gaps in OpenSSL (CVE-2024-2511, CVSS 5.9; CVE-2024-0727, CVSS 5.5) and in RabbitMQ (CVE-2023-46118, CVSS 4.9).
Videos by heise
IT managers should apply the updates quickly due to the severity of the vulnerabilities.
Serv-U: Two vulnerabilities corrected
The developers have also patched two vulnerabilities in the Serv-U FTP server. According to the vulnerability description, a directory traversal vulnerability allows malicious code to be smuggled in and executed, depending on the access rights of the authenticated user (CVE-2024-45711, CVSS 7.5, high). In addition, registered attackers can abuse a cross-site scripting vulnerabilityto modify a variable with malicious content (CVE-2024-45714, CVSS 5.7, medium). Serv-U 15.4.2.3 and older versions are affected, the now available software version 15.5 corrects the errors.
Solarwinds does not provide details on how the vulnerabilities can be attacked and how successful attacks can possibly be detected.
Vulnerabilities in Solarwinds products are frequently targeted by attackers. On Wednesday of this week, for example, attacks on Solarwinds Web Help Desk became known. The vulnerability that the malicious actors are abusing was already closed with security updates in August. However, admins must also apply these to protect their instances.
(dmk)
