Log4J: Microsoft discovers attackers targeting undisclosed SolarWinds vulnerability
Microsoft researchers have discovered a previously undisclosed vulnerability in the SolarWinds Serv-U software while monitoring threats related to Log4J vulnerabilities.
Jonathan Bar Or explained on Twitter that while he was hunting for a Log4J exploit attempt, he noticed attacks coming from serv-u.exe.
“Taking a closer looked revealed you could feed Ssrv-U with data and it’ll build a LDAP query with your unsanitized input! This could be used for log4j attack attempts, but also for LDAP injection,” he wrote.
“Solarwinds immediately responded, investigated and fixed the #vulnerability. Their response is the quickest I’ve seen, really amazing work on their part!”
Microsoft later released a blog about the issue, tracked as as CVE-2021-35247, and said it is an “input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation.”
In their advisory, SolarWinds said the Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized.
“SolarWinds has updated the input mechanism to perform additional validation and sanitization. No downstream affect has been detected as the LDAP servers ignored improper characters,” the company said, adding that it affects 15.2.5 and previous versions.
NTT Application Security’s Ray Kelly told ZDNet that the vulnerability surprised and concerned him considering SolarWinds is fresh on the heels of their previous breach that affected thousands of customers.
“Given that the Log4j disclosure was published in December, this Open Source vulnerability should have been of the utmost priority for SolarWinds. While it appears that SolarWinds was not susceptible to have the vulnerable component exploited, it’s still not something want in your software product,” Kelly said.
“Most all application security products can detect the Log4j vulnerability giving developers the ability to quickly identify and fix issue.”
Microsoft urged customers to apply the security updates explained in the SolarWinds advisory and said customers can use their tools to identify and remediate devices that have the vulnerability. Microsoft Defender Antivirus and Microsoft Defender for Endpoint also detect behavior related to the activity, they added.
Netenrich’s John Bambenek added that Microsoft’s warning and SolarWinds’ quick response time represented a positive example of how vulnerabilities need to be dealt with.
“This is the kind of vulnerability and research cooperation we need, where a major tech company with visibility to see the attacks reaches out to the software company and a fix is rushed to production,” Bambenek said.