CVE-2021-32604: Serv-U File Server 15.2.3 Release Notes

Release date: May 5, 2021

These release notes describe the new features, improvements, and fixed issues in Serv-U File Server 15.2.3. They also provide information about upgrades and describe workarounds for known issues.

If you are looking for previous release notes for Serv-U File Server, see Previous Version documentation.

For details about the latest hotfixes, see Serv-U hotfixes.

Additional Serv-U documentation includes:

• Serv-U Installation and Upgrade Guide
• Serv-U 15.2 Administrator Guide
• System Requirements
• Getting Started with Serv-U

New features and improvements

Serv-U 15.2.3 is a security-focused release, including:

• SQLite upgraded to version 3.26
• Support for Content Security Policy
• Silent installation improvements
• Licensing framework changed (see Upgrade notes)

Upgrade notes****Licensing

The Serv-U licensing framework has been changed in Serv-U 15.2.3 and a new license key needs to be used to activate this product version otherwise it will not be possible to use it.

If your Serv-U product maintenance is active, you can find your new license key generated on customer portal. Use this new license key to activate Serv-U 15.2.3 after installation.

Solarwinds strongly recommend that you upgrade to this version with the new licensing framework as older framework will not be supported in the future.

Password security

If you are upgrading from version 15.1.7 or older, increased password security and automatically converts existing MD5 passwords using a more secure algorithm when users connect for the first time after upgrade.

If an account is not used within 90 days of the upgrade, access will be restricted and the user will not be able to log in afterward. The administrator will be required to change their password.

Fixed issues

Serv-U 15.2.3 fixes the following issues:

Case Number

Description

00434626

DNS Rebinding vulnerability.

00731952

Issue resolved where configuration was lost after applying hotfix.

00733060, 00746740

Login page text can include <br> tags again.

00743703

Host header injection vulnerability fixed.

00745112

Problems with rights windows groups and LDAP resolved.

00747046

Issue with SSH Host Key Errors resolved.

00755502

CSP header implemented.

00756736

Anti-hammering setting and Allow X-Forwarded-For to change HTTP connection IP addresses work together correctly.

00760866, 00765598

SFTP login issue resolved.

00771303

the user-supplied ‘SenderEmail’ parameter now correctly sanitised and validated.

00776476

Security-related HTTP response header issue resolved.

00782585

Names containing apostrophes can now be edited or deleted.

For Serv-U 15.2.2 fixes, see the 15.2.2 Release Notes.

For Serv-U 15.2.1 fixes, see the 15.2.1 Release Notes.

For Serv-U 15.2 fixes, see the 15.2 Release Notes.

CVE issues

SolarWinds would like to thank our Security Researchers below for reporting on this issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

CVE-ID

Vulnerability Title

Description

Severity

Credit

CVE-2021-32604

SolarWinds Serv-U FTP Server 15.2.2.573 XSS Vulnerability

SolarWinds Serv-U FTP Server versions through to 15.2.2.573 do not correctly sanitize and validate the user-supplied ‘SenderEmail’ parameter, allowing malicious JavaScript to be injected into a publicly shareable URL, when the supplied URL is reached the XSS payload is triggered.

High

Victor Kahan of Trustwave

ALPACA Cross Protocol Reflection Attack

Serv-U FTP could be potentially misused to perform a cross-protocol attack. Authenticated users can also exploit this for upload/download attacks. In addition, an unauthenticated reflection attack can occur which can potentially lead to XSS.

High

Marcus Brinkmann (1)
Christian Dresen (2)
Robert Merget (1)
Damian Poddebniak (2)
Jens Müller (1)
Juraj Somorovsky (3)
Jörg Schwenk (1)
Sebastian Schinzel (2)

(1) Ruhr University Bochum
(2) Münster University of Applied Sciences
(3) Paderborn University

Legal notices

© 2021 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.