SolarWinds Serv-U bug exploited for Log4j attacks

4 months ago 25

SolarWinds has fixed a Serv-U vulnerability that threat actors actively exploited to carry out Log4j attacks to internal devices on a network.

SolarWinds has addressed a vulnerability in Serv-U product that threat actors actively exploited to propagate Log4j attacks to internal devices on a network.

The vulnerability, tracked as CVE-2021-35247, was discovered by Microsoft security researcher Jonathan Bar Or while monitoring attacks exploiting the vulnerabilities in the Log4j library.

The flaw is an input validation vulnerability that could allow threat actors to build a query given some input and send that query over the network without sanitation.

“During our sustained monitoring of threats taking advantage of the Log4j 2 vulnerabilities, we observed activity related to attacks being propagated via a previously undisclosed vulnerability in the SolarWinds Serv-U software. We discovered that the vulnerability, now tracked as CVE-2021-35247, is an input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation.” reads the advisory published by Microsoft.

According to the advisory published by SolarWinds, the Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized.

SolarWinds released Serv-U 15.3 that addresses the vulnerability by performing additional validation and sanitization.

“The Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized,” reads the advisory published by SolarWinds. “SolarWinds has updated the input mechanism to perform additional validation and sanitization.”

The vendor pointed out that no downstream affect has been detected as the LDAP servers ignored improper characters, but this is in contrast with the reports from Microsoft that claim a successful exploitation of the issue.

While monitoring threats related to the Log4j 2 vulnerabilities, we saw attacks being propagated via an input validation flaw in the SolarWinds Serv-U software. We reported our discovery to SolarWinds, and security updates have been released. More info: https://t.co/U2OLjgJdNa

— Microsoft Security Intelligence (@MsftSecIntel) January 19, 2022

In the past, other threat actors exploited Serv-U vulnerabilities to carry out malicious activities. In November, Clop ransomware gang (aka TA505, FIN11) was spotted exploiting CVE-2021-35211 SolarWinds Serv-U vulnerability to breach businesses’ infrastructures and deploy its ransomware.

In July 2021, Microsoft reported that the recent attacks against SolarWinds file transfer servers were carried out by a Chinese hacking group tracked as DEV-0322.

In July, SolarWinds addressed a zero-day remote code execution flaw (CVE-2021-35211) in Serv-U products which was actively exploited in the wild by a single threat actor.

SolarWinds was informed of the zero-day by Microsoft, the issue affects Serv-U Managed File Transfer Server and Serv-U Secured FTP. According to Microsoft, the flaw was exploited in attacks against a limited, targeted set of customers by a single threat actor.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)

Read Entire Article