Trustwave SpiderLabs Security Advisory TWSL2021-002:
Weak ACLs Vulnerability in SolarWinds Serv-U FTP Server 15.2.1 on Windows

Published: 02/03/2021
Version: 1.0

Vendor: SolarWinds (www.solarwinds.com)
Product: SolarWinds Serv-U FTP Server 15.2.1 on Windows
Version affected: 15.2.1 and prior versions on Windows

Product description:
SolarWinds Serv-U FTP Server is a file transfer software.

Finding 1: SolarWinds Serv-U FTP Server 15.2.1 on Windows "Users" directory weak ACLs
*****Credit: Martin Rakhmanov of Trustwave 
CVE: CVE-2021-25276

The directory (%ProgramData%\RhinoSoft\Serv-U\Users\<DOMAIN>\) is world readable and writeable.
This directory contains user profile files (bearing .Archive extension) that among other 
user properties store the user's password hash.

For example:

...
CUserPasswordAttr
Password
1
1
Val
00:8F821B5694E9CE5C84DCF96DE0E6793DA5A279CC4C4CDF6B3A934A71002165B7BC1C7C6FC37B6DCCD108A826CDE9D66F
<<- Password
...

Unprivileged Windows users having access to the server's filesystem can abuse this weakness 
in at least two ways:

1. Retrieve hashed passwords of existing Serv-U FTP users and perform a brute force attack 
on them. The algorithm employed for hash generation is Argon2 in Serv-U FTP Server 15.2. 
If a password is found during such offline brute force attack, malicious actors can then 
use discovered password to impersonate unsuspecting legitimate users. This type of attack 
can go unnoticed since the brute force operation will be conducted offline.

2. More severe attack consists of adding a user to the Serv-U server by copying a valid 
profile file to the directory mentioned above. A valid Archive file can be produced on 
another Serv-U server and such file can define System Administrator user with its Home 
directory set to "/". Once such file is copied to the %ProgramData%\RhinoSoft\Serv-U\Users\<DOMAIN>\ 
location, the Serv-U process will detect the change and add the user specified in the 
profile file to the user list. Then malicious actors can login using the added account and 
get complete control of the underlying Windows operating system since the Serv-U process 
runs as LocalSystem and allows read/write access to the root of C: drive when the Home 
directory is set to "/".

Remediation Steps:
Upgrade to Serv-U v15.2.2 HotFix 1 or the latest stable version.

Revision History:
01/04/2021 - Vulnerability (CVE-2021-25276) disclosed to vendor
01/22/2021 - Serv-U FTP Server hotfix released
02/03/2021 - Advisory published

References
1. https://downloads.solarwinds.com/solarwinds/Release/HotFix/Serv-U-15.2.2-Hotfix-1.zip


About Trustwave:
Trustwave helps businesses fight cybercrime, protect data and reduce security 
risk. With cloud and managed security services, integrated technologies and a 
team of security experts, ethical hackers and researchers, Trustwave enables 
businesses to transform the way they manage their information security and 
compliance programs. More than three million businesses are enrolled in the 
Trustwave TrustKeeper® cloud platform, through which Trustwave delivers 
automated, efficient and cost-effective threat, vulnerability and compliance 
management. Trustwave is headquartered in Chicago, with customers in 96 
countries. For more information about Trustwave, visit 
https://www.trustwave.com.

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.