Attackers looking to exploit recently discovered Log4j vulnerabilities are also trying to take advantage of a previously undisclosed vulnerability in the SolarWinds Serv-U software (CVE-2021-35247).
It affects version 15.2.5 and previous versions of Serv-U, and has been patched by SolarWinds in version 15.3.
CVE-2021-35247 is an input validation vulnerability in the Serv-U File Server’s web login screen that could allow attackers to build a query after been given some input and send that query over the network without sanitation.
“When hunting for log4j exploit attempt I noticed attacks coming from serv-u.exe. Taking a closer looked revealed you could feed Serv-U with data and it’ll build a LDAP query with your unsanitized input! This could be used for log4j attack attempts, but also for LDAP injection,” shared Microsoft security researcher Jonathan Bar Or.
According to SolarWinds’ security advisory, the vulnerability has been fixed by updating the input mechanism to perform additional validation and sanitization.
“No downstream affect has been detected as the LDAP servers ignored improper characters,” the company also noted, apparently refuting Microsoft researcher’s last conclusion.
Microsoft did not say whether the attackers were successful in exploiting CVE-2021-35247, but have urged customers to apply security updates to vulnerable devices.
This is the second Serv-U vulnerability detected in the last six months getting exploited in the wild. The earlier one was a (at the time) zero-day remote code execution flaw (CVE-2021-35211), and its exploitation has been attributed by Microsoft to a China-based attack group hitting entities in the U.S. defense industrial base sector and software companies.
UPDATE: Friday, January 21, 01:25 PT
A SolarWinds spokesperson reached out with the following comment:
“The activity Microsoft was referring to in their report was related to a threat actor attempting to login to Serv-U using the Log4J vulnerability but that attempt failed as Serv-U does not utilize Log4J code and the target for authentication LDAP (Microsoft Active Directory) is not susceptible to Log4J attacks.”