CVE-2019-12181
📋 TL;DR
This CVE describes a privilege escalation vulnerability in SolarWinds Serv-U FTP Server for Linux versions before 15.1.7. It allows local attackers to execute arbitrary commands with elevated privileges by exploiting improper input sanitization in the prepareinstallation script. Organizations running vulnerable Serv-U versions on Linux systems are affected.
💻 Affected Systems
- SolarWinds Serv-U FTP Server
📦 What is this software?
Serv U Ftp Server by Solarwinds
Serv U Mft Server by Solarwinds
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where an attacker gains root privileges, installs persistent backdoors, accesses sensitive data, and pivots to other systems.
Likely Case
Local privilege escalation allowing attackers to gain root access on the affected Serv-U server, potentially leading to data theft, service disruption, or lateral movement.
If Mitigated
Limited impact with proper access controls, monitoring, and network segmentation preventing lateral movement and containing the breach.
🎯 Exploit Status
Exploit requires local access to the system. Multiple public exploit scripts and detailed write-ups are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.1.7
Vendor Advisory: https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-Potential-elevation-of-privileges-on-Linux-systems
Restart Required: Yes
Instructions:
1. Download Serv-U 15.1.7 or later from SolarWinds portal. 2. Stop the Serv-U service. 3. Install the update following vendor instructions. 4. Restart the Serv-U service. 5. Verify the version is 15.1.7 or higher.
🔧 Temporary Workarounds
Remove execute permissions from prepareinstallation script
linuxTemporarily mitigates the vulnerability by preventing execution of the vulnerable script
chmod -x /opt/Serv-U/prepareinstallation
Restrict access to Serv-U directories
linuxLimit which users can access Serv-U installation directories
chmod 750 /opt/Serv-U/
chown root:root /opt/Serv-U/prepareinstallation
🧯 If You Can't Patch
- Implement strict access controls to limit who has local access to Serv-U servers
- Monitor for suspicious privilege escalation attempts and command execution from Serv-U processes
🔍 How to Verify
Check if Vulnerable:
Check if Serv-U version is below 15.1.7 and the prepareinstallation script exists with execute permissionsCheck Version:
cat /opt/Serv-U/version.txt || serv-u --versionVerify Fix Applied:
Verify Serv-U version is 15.1.7 or higher and the prepareinstallation script has been patched or removed📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation attempts
- Execution of prepareinstallation script by non-root users
- Suspicious command execution from Serv-U processes
Network Indicators:
- Unexpected outbound connections from Serv-U server
- Anomalous FTP traffic patterns
SIEM Query:
source="serv-u" AND (event="privilege_escalation" OR process="prepareinstallation")🔗 References
- http://packetstormsecurity.com/files/153333/Serv-U-FTP-Server-15.1.6-Privilege-Escalation.html
- http://packetstormsecurity.com/files/153505/Serv-U-FTP-Server-prepareinstallation-Privilege-Escalation.html
- https://blog.vastart.dev/2019/06/cve-2019-12181-serv-u-exploit-writeup.html
- https://documentation.solarwinds.com/en/success_center/servu/Content/Release_Notes/Servu_15-1-7_release_notes.htm
- https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-Potential-elevation-of-privileges-on-Linux-systems
- http://packetstormsecurity.com/files/153333/Serv-U-FTP-Server-15.1.6-Privilege-Escalation.html
- http://packetstormsecurity.com/files/153505/Serv-U-FTP-Server-prepareinstallation-Privilege-Escalation.html
- https://blog.vastart.dev/2019/06/cve-2019-12181-serv-u-exploit-writeup.html
- https://documentation.solarwinds.com/en/success_center/servu/Content/Release_Notes/Servu_15-1-7_release_notes.htm
- https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-Potential-elevation-of-privileges-on-Linux-systems
