CVE-2021-25276

In SolarWinds Serv-U before 15.2.2 Hotfix 1, there is a directory containing user profile files (that include users' password hashes) that is world readable and writable. An unprivileged Windows user (having access to the server's filesystem) can add an FTP user by copying a valid profile file to this directory. For example, if this profile sets up a user with a C:\ home directory, then the attacker obtains access to read or replace arbitrary files with LocalSystem privileges.

CVSS v3 7.1 HIGH
CVSS v2.0 3.6 LOW

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

3.6^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:P/A:N

Exploitability : 3.9 / Impact : 4.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:solarwinds:serv-u::::::::
	cpe:2.3:a:solarwinds:serv-u:15.2.2:-::::::

History

No history.

Information

Published : 2021-02-03 17:15

Updated : 2024-02-28 18:08

NVD link : CVE-2021-25276

Mitre link : CVE-2021-25276

CVE.ORG link : CVE-2021-25276

JSON object : View

Products Affected

solarwinds

serv-u

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

{"id": "CVE-2021-25276", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.6, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.8}]}, "published": "2021-02-03T17:15:16.637", "references": [{"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "In SolarWinds Serv-U before 15.2.2 Hotfix 1, there is a directory containing user profile files (that include users' password hashes) that is world readable and writable. An unprivileged Windows user (having access to the server's filesystem) can add an FTP user by copying a valid profile file to this directory. For example, if this profile sets up a user with a C:\\ home directory, then the attacker obtains access to read or replace arbitrary files with LocalSystem privileges."}, {"lang": "es", "value": "En SolarWinds Serv-U versiones anteriores a 15.2.2 Hotfix 1, se presenta un directorio que contiene archivos de perfil de usuario (que incluyen hash de contrase\u00f1a de usuario) que se puede leer y escribir por todo el mundo. Un usuario no privilegiado de Windows (que tenga acceso al sistema de archivos del servidor) puede agregar un usuario FTP al copiar un archivo de perfil v\u00e1lido en este directorio. Por ejemplo, si este perfil configura a un usuario con un directorio C:\\ home, el atacante obtiene acceso para leer o reemplazar archivos arbitrarios con privilegios LocalSystem"}], "lastModified": "2022-07-12T17:42:04.277", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:serv-u:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B87891C6-CFA7-42B6-9EB8-B313B08D6266", "versionEndExcluding": "15.2.2"}, {"criteria": "cpe:2.3:a:solarwinds:serv-u:15.2.2:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ED0B8AD1-FE25-4C0D-B75C-4DE0EC276DC6"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}