![]() ![]() The most likely instance of such code was the following:įigure 1. The implementation of SSH in Serv-U was found by enumerating references to the “SSH-“ string, which must be present in the first data sent to the server. The protocol behavior is defined in multiple requests for comment (RFCs), and existing implementations are available in open-source code we primarily used RFC 4253, RFC 4252, and libssh as references for this analysis. Secure Shell (SSH) is a widely adopted protocol for secure communications over an untrusted network. Vulnerability in Serv-U’s implementation of SSH This is an example of intelligence sharing and industry collaboration that result in comprehensive protection for the broader community through detection of attacks through products and fixing vulnerabilities through security updates. We shared these findings, as well as the fuzzer we created, with SolarWinds through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR), and worked with them to fix the issue. We also discovered that the attackers were likely using DLLs compiled without address space layout randomization (ASLR) loaded by the Serv-U process to facilitate exploitation. Therefore, an attacker could exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. This, in turn, could allow the use of uninitialized data as a function pointer during the decryption of successive SSH messages. We concluded that the exploited vulnerability was caused by the way Serv-U initially created an OpenSSL AES128-CTR context. It immediately became evident that the Serv-U process would make stealthy, reliable exploitation attempts simple to accomplish. Although the intel contained useful indicators, it lacked the exploit in question, so our team set out to reconstruct the exploit, which required to first find and understand the new vulnerability in the Serv-U SSH-related code.Īs we knew this was a remote, pre-auth vulnerability, we quickly constructed a fuzzer focused on the pre-auth portions of the SSH handshake and noticed that the service captured and passed all access violations without terminating the process. In early July, MSTIC provided our team with data that seemed to indicate exploit behavior against a newly-discovered vulnerability in the SolarWinds Serv-U FTP server’s SSH component. We do this by leveraging our knowledge of attacker techniques and processes to build and improve protections in Windows and Azure through reverse engineering, attack creation and replication, vulnerability research, and intelligence sharing. Our team’s remit is to make computing safer. This analysis was conducted by the Microsoft Offensive Research & Security Engineering team, a focused group tasked with supporting teams like MSTIC with exploit development expertise. In this blog, we share technical information about the vulnerability, tracked as CVE-2021-35211, that we shared with SolarWinds, who promptly released security updates to fix the vulnerability and mitigate the attacks. The Microsoft Threat Intelligence Center (MSTIC) attributed the attack with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures. Several weeks ago, Microsoft detected a 0-day remote code execution exploit being used to attack the SolarWinds Serv-U FTP software in limited and targeted attacks. Microsoft Purview Data Lifecycle Management.Microsoft Purview Information Protection.Information protection Information protection.Microsoft Priva Subject Rights Requests.Microsoft Purview Communication Compliance.Microsoft Purview Insider Risk Management.Risk management & privacy Risk management & privacy.Microsoft Intune Endpoint Privilege Management.Endpoint security & management Endpoint security & management.Microsoft Defender External Attack Surface Management.Microsoft Defender Cloud Security Posture Mgmt.Microsoft Defender Vulnerability Management. ![]() Azure Active Directory (Microsoft Entra ID). ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |