Microsoft Sees Log4j Attacks Exploiting SolarWinds Serv-U Bug

Threat actors have weaponized a newly discovered bug in SolarWinds Serv-U file-sharing software to launch Log4j attacks against networks’ internal devices, Microsoft warned on Wednesday.

SolarWinds issued a fix the day before, on Tuesday.

The vulnerability, tracked as CVE-2021-35247, is an input validation flaw that could allow attackers to build a query, given some input, and to send that query over the network without sanitation, Microsoft’s Threat Intelligence Center (MSTIC) said.

The bug, discovered by Microsoft’s Jonathan Bar Or, affects Serv-U versions 15.2.5 and prior. SolarWinds fixed the vulnerability in Serv-U version 15.3, released on Tuesday.

“The Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized,” SolarWinds said in its advisory, adding that it had updated the input mechanism “to perform additional validation and sanitization.”

SolarWinds said that it hasn’t seen any “downstream [effect],” given that “the LDAP servers ignored improper characters.”

For its part, MSTIC didn’t give details about the attacks it’s tracked that have been propagated via the Serv-U bug.

Just the Latest in Ongoing Log4j Barrage

The Serv-U attacks are just the latest in the rampant Log4j exploit attempts and testing that have been thrown at the multiple flaws in Apache’s Log4j logging library since those flaws were disclosed – and came under near-immediate attack – last month.

On Tuesday, Akamai researchers also reported that they’ve detected evidence of the unauthenticated remote code execution (RCE) vulnerability in Log4j – tracked as CVE-2021-44228 – being adapted to infect and assist in the proliferation of malware used by the Mirai botnet by targeting Zyxel networking devices.

MSTIC strongly recommended that affected customers apply the SolarWinds security updates.