Microsoft on Wednesday disclosed details of a new security vulnerability in SolarWinds Serv-U software that it said was being weaponized by threat actors to propagate attacks leveraging the Log4j flaws to compromise targets.
Tracked as CVE-2021-35247 (CVSS score: 5.3), the issue is an “input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation,” Microsoft Threat Intelligence Center (MSTIC) said.
The flaw, which was discovered by security researcher Jonathan Bar Or, affects Serv-U versions 15.2.5 and prior, and has been addressed in Serv-U version 15.3.
“The Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized,” SolarWinds said in an advisory, adding it “updated the input mechanism to perform additional validation and sanitization.”
The IT management software maker also pointed out that “no downstream effect has been detected as the LDAP servers ignored improper characters.” It’s not immediately clear if the attacks detected by Microsoft were mere attempts to exploit the flaw or if they were ultimately successful.
The development comes as multiple threat actors continue to take advantage of the Log4Shell flaws to mass scan and infiltrate vulnerable networks for deploying backdoors, coin miners, ransomware, and remote shells that grant persistent access for further post-exploitation activity.
Akamai researchers, in an analysis published this week, also found evidence of the flaws being abused to infect and assist in the proliferation of malware used by the Mirai botnet by targeting Zyxel networking devices.
On top of this, a China-based hacking group has been previously observed exploiting a critical security vulnerability affecting SolarWinds Serv-U (CVE-2021-35211) to install malicious programs on the infected machines.
Update: In a statement shared with The Hacker News, SolarWinds pointed out that its Serv-U software wasn’t exploited in the Log4j attacks, and that attempts were made to log in to SolarWinds Serv-U file-sharing software via attacks exploiting the Log4j flaws.
“The activity Microsoft was referring to in their report was related to a threat actor attempting to login to Serv-U using the Log4j vulnerability but that attempt failed as Serv-U does not utilize Log4j code and the target for authentication LDAP (Microsoft Active Directory) is not susceptible to Log4J attacks,” a company spokesperson said.
While this directly contradicts Microsoft’s original disclosure that attackers were exploiting the previously undisclosed vulnerability in the SolarWinds Serv-U managed file transfer service to propagate Log4j attacks, the attempts ultimately failed because the vulnerable Log4j code isn’t present in the software.
(The story has been revised to to clarify that Serv-U is not vulnerable to the Log4Shell attacks.)