Threat actors attempted to exploit SolarWinds Serv-U bug in attacks in the wild, Microsoft warns

Pierluigi Paganini January 20, 2022

Security vendor SolarWinds has fixed a Serv-U vulnerability that threat actors attempted to exploit in attacks in the wild.

SolarWinds has addressed a vulnerability in Serv-U products that threat actors are actively exploited in the wild. The company pointed out that all the attack attempts failed.

The vulnerability, tracked as CVE-2021-35247, was discovered by Microsoft security researcher Jonathan Bar Or while monitoring attacks exploiting the vulnerabilities in the Log4j library.

The flaw is an input validation vulnerability that could allow threat actors to build a query given some input and send that query over the network without sanitation.

“During our sustained monitoring of threats taking advantage of the Log4j 2 vulnerabilities, we observed activity related to attacks being propagated via a previously undisclosed vulnerability in the SolarWinds Serv-U software. We discovered that the vulnerability, now tracked as CVE-2021-35247, is an input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation.” reads the advisory published by Microsoft.

According to the advisory published by SolarWinds, the Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized.

SolarWinds released Serv-U 15.3 that addresses the vulnerability by performing additional validation and sanitization.

“The Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized,” reads the advisory published by SolarWinds. “SolarWinds has updated the input mechanism to perform additional validation and sanitization.”

The vendor pointed out that no downstream affect has been detected as the LDAP servers ignored improper characters.

In the past, other threat actors exploited Serv-U vulnerabilities to carry out malicious activities. In November, Clop ransomware gang (aka TA505, FIN11) was spotted exploiting CVE-2021-35211 SolarWinds Serv-U vulnerability to breach businesses’ infrastructures and deploy its ransomware.

In July 2021, Microsoft reported that the recent attacks against SolarWinds file transfer servers were carried out by a Chinese hacking group tracked as DEV-0322.

In July, SolarWinds addressed a zero-day remote code execution flaw (CVE-2021-35211) in Serv-U products which was actively exploited in the wild by a single threat actor.

SolarWinds was informed of the zero-day by Microsoft, the issue affects Serv-U Managed File Transfer Server and Serv-U Secured FTP. According to Microsoft, the flaw was exploited in attacks against a limited, targeted set of customers by a single threat actor.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Serv-U)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment