SolarWinds Serv-U SSH Exploit Attempt - CVE-2021-35211

SolarWinds Serv-U has two file server products for sending and receiving files over multiple protocols: Serv-U File Transfer Protocol (FTP) and Serv-U Managed File Transfer (MFT). These products for Windows have a remote memory escape vulnerability when specific options are enabled, such as SSH File Transfer Protocol (SFTP). This vulnerability is exploited in three steps. First, the attacker connects to an open SSH port on the Serv-U server and sends multiple SSH messages without completing the SSH handshake. The messages insert malicious payloads into the Serv-U process memory. Next, the attacker exploits the vulnerability by sending disordered SSH handshake messages that skip a key exchange and specify the AES128-CTR encryption protocol (1). As a result of not having the keys, the Serv-U server is unable to decrypt a malicious encrypted packet sent by the attacker, which causes malicious payloads in the Serv-U process memory to run as a Windows service with SYSTEM privileges (2).