CVE-2021-35223 – CVE-2021-35223 is a remote code execution vulne... (How to Fix)

Q: What is the severity of CVE-2021-35223?

CVE-2021-35223 has a CVSS score of 8.5 (HIGH). CVE-2021-35223 is a remote code execution vulnerability in SolarWinds Serv-U File Server where user-supplied parameters in audit command execution can be exploited. This allows attackers to execute arbitrary commands on affected systems. Organizations running vulnerable versions of Serv-U File Server are affected.

📋 TL;DR

CVE-2021-35223 is a remote code execution vulnerability in SolarWinds Serv-U File Server where user-supplied parameters in audit command execution can be exploited. This allows attackers to execute arbitrary commands on affected systems. Organizations running vulnerable versions of Serv-U File Server are affected.

💻 Affected Systems

Products:

SolarWinds Serv-U File Server

Versions: Versions prior to 15.2.4

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Serv-U installations with audit/event command execution enabled. The vulnerable feature is part of the product's functionality.

📦 What is this software?

Serv U by Solarwinds

View all CVEs affecting Serv U →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the server, data exfiltration, lateral movement, and deployment of ransomware or other malware.

🟠

Likely Case

Unauthorized access to sensitive files, credential theft, installation of backdoors, and potential data breach.

🟢

If Mitigated

Limited impact with proper network segmentation, but still potential for file server compromise and data access.

🌐 Internet-Facing: HIGH - Serv-U servers exposed to the internet are directly vulnerable to remote exploitation.

🏢 Internal Only: HIGH - Even internally, authenticated or network-accessible attackers can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some level of access to trigger audit events, but the vulnerability is straightforward to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 15.2.4 and later

Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35223

Restart Required: Yes

Instructions:

1. Download Serv-U 15.2.4 or later from SolarWinds portal. 2. Backup current configuration. 3. Run installer to upgrade. 4. Restart Serv-U services. 5. Verify version and functionality.

🔧 Temporary Workarounds

Disable Command Execution in Audit Events

all

Remove or disable command execution functionality in audit/event settings

Navigate to Serv-U Admin Console > Settings > Auditing > Event Commands and remove any command configurations

Network Segmentation

all

Restrict network access to Serv-U servers

Configure firewall rules to limit access to trusted IPs only

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access to Serv-U servers
Disable command execution in audit events and monitor for any suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Serv-U version in Admin Console or via command line: serv-u --version

Check Version:

serv-u --version (Linux) or check About in Serv-U Admin Console (Windows)

Verify Fix Applied:

Verify version is 15.2.4 or higher and check that command execution in audit events is properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in Serv-U audit logs
Suspicious process creation from Serv-U service
Failed login attempts followed by command execution

Network Indicators:

Unexpected outbound connections from Serv-U server
Traffic to unusual ports from Serv-U host

SIEM Query:

source="serv-u" AND (event_type="command_execution" OR process_name="cmd.exe" OR process_name="powershell.exe")

📊 Metadata

CVE ID: CVE-2021-35223

CVSS v3 Score: 8.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-20

Published: August 31, 2021

Last Updated: November 21, 2024

🔗 References

https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-2-4_release_notes.htm Release Notes,Vendor Advisory
https://support.solarwinds.com/SuccessCenter/s/article/Execute-Command-Function-Allows-Remote-Code-Execution-RCE-Vulnerability-CVE-2021-35223?language=en_US Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35223 Vendor Advisory
https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-2-4_release_notes.htm Release Notes,Vendor Advisory
https://support.solarwinds.com/SuccessCenter/s/article/Execute-Command-Function-Allows-Remote-Code-Execution-RCE-Vulnerability-CVE-2021-35223?language=en_US Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35223 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-35223, you might also want to check these: