Microsoft: Attackers Tried to Login to SolarWinds Serv-U Via Log4j Bug

UPDATE: SolarWinds has fixed a Serv-U bug discovered when attackers used the Log4j flaw to try to log in to the file-sharing software.

Attackers are trying to log in to SolarWinds Serv-U file-sharing software via attacks exploiting the Log4j  flaws.

This is a confusing story: Initially,  Microsoft had warned on Wednesday that attackers were exploiting a previously undisclosed vulnerability in the SolarWinds Serv-U file-sharing software to propagate Log4j attacks against networks’ internal devices via the SolarWinds bug.

SolarWinds had issued a fix the day before, on Tuesday.

SolarWinds subsequently reached out to Threatpost  and other news outlets on Thursday to clarify that Microsoft’s report referred  to a threat actor attempting to login to Serv-U using the Log4j vulnerability. The attempt failed, given that Serv-U doesn’t use  Log4j code and the target for authentication – LDAP (Microsoft Active Directory) – isn’t susceptible to Log4j attacks. 

The SolarWinds vulnerability, tracked as CVE-2021-35247, is an input validation flaw that could allow attackers to build a query, given some input, and to send that query over the network without sanitation, Microsoft’s Threat Intelligence Center (MSTIC) said.

Password Management Webinar

The bug, discovered by Microsoft’s Jonathan Bar Or, affects Serv-U versions 15.2.5 and prior. SolarWinds fixed the vulnerability in Serv-U version 15.3, released on Tuesday.

“The Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized,” SolarWinds said in its advisory, adding that it had updated the input mechanism “to perform additional validation and sanitization.”

Microsoft security researcher Jonathan Bar Or, credited with discovering the bug, explained that he had seen attacks coming from serv-u.exe while hunting for log4j exploit attempts. “Taking a closer looked revealed you could feed Serv-U with data and it’ll build a LDAP query with your unsanitized input!” he said. “This could be used for log4j attack attempts, but also for LDAP injection.”

A SolarWinds representative told Threatpost that the attacker wasn’t able to login to Serv-U, and that the Microsoft researcher was referencing attempted logins that failed, since Serv-U doesn’t leverage Log4J code.

SolarWinds said that it hasn’t seen any “downstream [effect]” of the bug, given that “the LDAP servers ignored improper characters.”

For its part, MSTIC didn’t give details about the attack it observed.

Just the Latest in Ongoing Log4j Barrage

The Serv-U attacks are just the latest in the rampant Log4j exploit attempts and testing that have been thrown at the multiple flaws in Apache’s Log4j logging library since those flaws were disclosed – and came under near-immediate attack – last month.

On Tuesday, Akamai researchers also reported that they’ve detected evidence of the unauthenticated remote code execution (RCE) vulnerability in Log4j – tracked as CVE-2021-44228 – being adapted to infect and assist in the proliferation of malware used by the Mirai botnet by targeting Zyxel networking devices.

MSTIC strongly recommended that affected customers apply the SolarWinds security updates.

Suggested articles