Microsoft: SolarWinds Fixes Serv-U Bug Exploited for Log4j Attacks
SolarWinds has patched a Serv-U vulnerability discovered by Microsoft that threat actors actively used to propagate Log4j attacks to internal devices on a network.
Microsoft says they discovered the vulnerability during their monitoring of the Log4j attacks.
The bug is an input validation vulnerability discovered by Microsoft security researcher Jonathan Bar Or that allows an attacker to create a query and send it unsanitized over the network.
"During our sustained monitoring of threats taking advantage of the Log4j 2 vulnerabilities, we observed activity related to attacks being propagated via a previously undisclosed vulnerability in the SolarWinds Serv-U software," Microsoft explains in an update to their Log4J advisory.
"During our sustained monitoring of threats taking advantage of the Log4j 2 vulnerabilities, we observed activity related to attacks being propagated via a previously undisclosed vulnerability in the SolarWinds Serv-U software," Microsoft explains in an update to their Log4J advisory."We discovered that the vulnerability, now tracked as CVE-2021-35247, is an input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation."
Yesterday, SolarWinds issued an advisory for CVE-2021-35247 and released Serv-U 15.3 to fix the vulnerability.
"The Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized," reads SolarWinds advisory.
"SolarWinds has updated the input mechanism to perform additional validation and sanitization."
However, SolarWinds states that no downstream effect has been detected "as the LDAP servers ignored improper characters," contradicting Microsoft's report.
At this point, it is unclear if the threat actors attempted to use the vulnerability but failed or if Log4j attacks were successfully propagated as indicated by Microsoft.
Threat actors have previously abused Serv-U vulnerabilities to perform Conti ransomware attacks and other undisclosed attacks.
Sign up for the e-mail list to be informed about the developments in the cyber world and to be informed about the weekly newsletter.