DIVD-2024-00028 - Local File Inclusion in SolarWinds U-Serv
| Our reference | DIVD-2024-00028 |
| Case lead | Stan Plasmeijer |
| Author | Max van der Horst |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Install the provided hotfix 2 as soon as possible to patch the vulnerability. |
| Patch status | Available |
| Workaround | None |
| Status | Open |
| Last modified | 22 Jun 2024 20:51 |
Summary
SolarWinds U-Serv was vulnerable to a Local File Inclusion vulnerability caused by a Path Traversal vulnerability that allows an attacker to read sensitive information from the host server. Leaking this information could lead to an attacker compromising the server.
Recommendations
SolarWinds released a hotfix for version 15.4.2. Install this hotfix as soon as possible, the corresponding version number is 15.4.2 HF2 (15.4.2.157).
What we are doing
DIVD is currently working to identify parties that are running a vulnerable version of SolarWinds U-Serv and to notify these parties. We do this by looking at the version numbers if possible and otherwise verifying the presence of the vulnerability in a harmless manner.
Timeline
| Date | Description |
|---|---|
| 21 Jun 2024 | DIVD starts researching the vulnerability. |
| 21 Jun 2024 | DIVD finds fingerprint, preparing to scan. |
| 22 Jun 2024 | DIVD starts scanning the internet for vulnerable instances. |
| 22 Jun 2024 | DIVD starts notifying network owners with a vulnerable instance in their network. |
gantt
title DIVD-2024-00028 - Local File Inclusion in SolarWinds U-Serv
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2024-00028 - Local File Inclusion in SolarWinds U-Serv (still open) :2024-06-21, 2024-07-10
section Events
DIVD starts researching the vulnerability. : milestone, 2024-06-21, 0d
DIVD finds fingerprint, preparing to scan. : milestone, 2024-06-21, 0d
DIVD starts scanning the internet for vulnerable instances. : milestone, 2024-06-22, 0d
DIVD starts notifying network owners with a vulnerable instance in their network. : milestone, 2024-06-22, 0d