Microsoft on Wednesday disclosed details of a new security flaw in SolarWinds Serv-U software that it said has been weaponized by threat actors to spread attacks that exploit a Log4j flaw to compromise targets.
tracked as CVE-2021-35247 (CVSS score: 5.3), the issue is “an input validation vulnerability that could allow an attacker, given some input, to construct a query and send that query over the network without sanitation”, Microsoft Threat Intelligence Center (MSTIC) Say.
Discovered by security researcher Jonathan Bar Or, the vulnerability affects Serv-U version 15.2.5 and earlier, and has been resolved in Serv-U version 15.3.
“Serv-U Web Login Screen for LDAP Authentication Allows Insufficiently Sanitized Characters,” SolarWinds Say In the advisory, add it “Updates the input mechanism to perform additional validation and sanitization”.
The IT management software maker also noted that “due to the LDAP server ignoring incorrect characters, no downstream impact was detected.” It’s unclear whether the attacks Microsoft detected were just an attempt to exploit the vulnerability, or if they ended up whether succeed.
As multiple threat actors continue to exploit the Log4Shell vulnerability to scan and infiltrate vulnerable networks at scale to deploy backdoors, coin miners, ransomware, and remote shells to provide persistent access for further post-exploitation activities A development follows.
Akamai researchers in analyze Published this week, it also found evidence that the vulnerability was being abused to infect and facilitate the spread of malware used by the Mirai botnet Zyxel Network Equipment.
On top of that, a China-based hacking group was previously observed to use a critical security flaw affecting SolarWinds Serv-U (CVE-2021-35211) to install malicious programs on infected computers.
renew: In a statement shared with The Hacker News, SolarWinds pointed out that its Serv-U software was not exploited in the Log4j attack and attempted to log into the SolarWinds Serv-U file sharing software through an attack that exploited the Log4j flaw.
“The activity mentioned by Microsoft in their report is related to threat actors attempting to log into Serv-U using the Log4j vulnerability, but since Serv-U does not use Log4j code and the authentication target LDAP (Microsoft Active Directory) is not vulnerable to Log4J attacks, ‘ a company spokesman said.
While this directly contradicted Microsoft’s initial disclosure that attackers were exploiting a previously undisclosed vulnerability in the SolarWinds Serv-U hosted file transfer service to spread a Log4j attack, those attempts ultimately failed because there was no vulnerable Log4j code.
(This story has been edited to clarify that Serv-U is not vulnerable to Log4Shell attacks.)
