A valid CSRF token is present in response to an invalid request

Vulnerability

The SolarWinds Serv-U server (affected versions not specified in the available reference) responds with a valid CSRF token when the request contains only a Session parameter, without proper authentication or validation. This behavior allows an attacker to obtain a valid token without legitimate user interaction [1].

Exploitation

An attacker can send a crafted HTTP request to the Serv-U server that includes only a session identifier (e.g., via a Session cookie or parameter). The server returns a valid CSRFToken in the response. The attacker can then use this token in a cross-site request forgery (CSRF) attack against an authenticated user, potentially tricking the user into performing unintended actions [1].

Impact

Successful exploitation allows an attacker to perform actions on behalf of an authenticated user, such as modifying settings, accessing sensitive data, or executing administrative functions, depending on the privileges of the victim. This leads to a breach of integrity and confidentiality [1].

Mitigation

As of the publication date (2021-12-06), no specific fixed version or workaround has been disclosed in the available reference. Users should consult the SolarWinds Trust Center advisory for updates and apply any recommended patches or configuration changes [1].