The Orion vendor, which was hit by a major vulnerability last year, SolarWinds, has fixed a bug discovered by Microsoft in its Serv-U file-sharing software. Cyber hackers would have used the Log4j flaw to try to connect to it. But the communication of the two publishers is quite contradictory.
Can one cyberattack hide another? Certainly in view of a common point that seems to exist between the SolarWinds and Log4Shell exploits. Microsoft has just found that attackers have tried to connect to the SolarWinds Serv-U file sharing software via attacks exploiting flaws in the Apache Log4j library.
“During our threat monitoring leveraging Log4j 2 vulnerabilities, we observed activity related to attacks propagating through a previously undisclosed flaw in SolarWinds Serv-U software. We have discovered that the breach, now identified as CVE-2021-35247, is an input validation vulnerability giving attackers the ability to create a request from an input and send it over the network without it. cleaned up,” Microsoft said in an update to its Log4j post. “We reported our finding to SolarWinds, and we would like to thank their teams for immediately investigating and working to fix the vulnerability.
A patch released unrelated to Log4j?
Microsoft security researcher Jonathan Bar Or, who discovered the bug, did explain that he saw attacks from serv-u.exe while looking for log4j exploit attempts. “On closer inspection, you can feed Serv-U with data and it will create an LDAP query with your uncleaned input! “, he explained. “This could be used for log4j attack attempts, but also for LDAP injection.” The publisher warned several newspapers including ThreatPost to clarify the situation: “Microsoft’s report refers to a malicious actor attempting to connect to Serv-U using the Log4j vulnerability. The attempt failed, as Serv-U does not use Log4j code and the LDAP (Microsoft Active Directory) authentication target is not susceptible to Log4j attacks”.
If the Orion supplier has indeed published a patch, it would have nothing to do with a vuln closely or remotely linked to Log4j: “The Web Serv-U login screen at authentication LDAP allowed characters that were not sufficiently filtered out,” Solarwinds explained. The editor has thus updated the input mechanism to perform additional validation and cleaning. “No downstream effects were detected because LDAP servers ignored bad characters. To ensure that input validation is performed in all environments, SolarWinds recommends planning an update to the latest version of Serv-U,” the vendor says.
For its part, Microsoft’s Threat Intelligence Center team did not detail the attack it observed. Difficult in these circumstances to really untangle all the threads of the ball…