Posted on January 23, 2022 at 7:27 AM
Attackers Are Targeting Unknown SolarwWnds Vulnerability, Microsoft Warns
Tech giant Microsoft has revealed that it discovered an unknown vulnerability in the SolarWinds Serv-U software while its research team was monitoring the Log4J bug.
According to Jonathan Bar Or, who is part of Microsoft’s security team, the vulnerability discovered is being targeted by threat actors.
“……you could feed Serv-U with data and it’ll build an LDAP query with your unsanitized input!’ he stated. Jonathan also noted that the vulnerability can be used for log4j exploits as well as for LDAP injection.
The Vulnerability Was Patched Quickly
After the notification was sent to SolarWinds, the company responded and quickly launched an investigation into the situation. SolarWinds said the vulnerability has been fixed. However, it’s not clear whether the vulnerability has been successfully exploited in the wild.
“Their response is the quickest I’ve seen, really amazing work on their part!” Jonathan noted. Microsoft has also informed users about the issue through a blog post. The vulnerability, tracked as CVE-2021-35247, can enable threat actors to build a query when it is given some input. As an input validation bug, it can deliver the input over a network without any form of sanitation.
SolarWinds admitted that the Serv-U login screen to LDAP authentication enabled characters that weren’t sanitized properly.
Additional Sanitation And Validation To Be Performed
The firm has also updated the input system to carry out additional sanitation and validation. However, the SolarWinds noted that it has not detected any downstream since the LDAP servers did not welcome improper characters. The company has informed users that the vulnerability only affects 15.2.5 and previous versions.
Ray Kelly of NTT Application Security, why trying to analyze the vulnerability, stated that the bug was a big concern, considering that the affected company’s system was breached last year, which affected thousands of customers. He stated that SolarWinds should have done a lot more to protect its systems and clear the server from any form of bug.
Since the Log4j disclosure was published in December, Kelly said the Open Source vulnerability would have been taken very seriously by SolarWinds. Although SolarWinds appears not to have been affected by the bug, it’s still not acceptable that the company is mentioned in another bug issue too soon, Kelly added.
Customers Have Been Advised To Update Their Devices
Microsoft has advised customers to apply security updates SolarWinds explained in its advisory to avoid being victims of an exploit.
According to the advisory, the customers can use their tools when identifying and remediating devices that have been exposed. In addition, Microsoft Defender for Endpoint and Microsoft Defender for Antivirus can come in handy when detecting behavior related to the vulnerability or exploit. While the vulnerability has been patched, those that have not updated their system are still at risk of exploitation.
John Bambenek of Netenrich also stated that SolarWind’s quick response and Microsoft’s warning is a perfect example of how best to deal with vulnerability. When the vulnerability is exposed and fixed quickly, it will give threat actors little chance of exploitation. This saves a lot of headaches for both the software vendor and the customers if the vulnerability was exploited.
Bambenek added that the research cooperation between both parties is exactly what the cybersecurity industry needs to deal with attacks. In this case, a major tech firm was quick to uncover a critical vulnerability in a software company while the affected company rushed immediately to fix the bug.
Microsoft did not say whether threat actors have succeeded in exploiting the vulnerability but maintained that to stay on the safe side, users should apply updates to their servers as soon as possible.
Microsoft Discovered An Unsuccessful Attempt To Exploit The Bug
This will be the second time a Serv-U vulnerability has been uncovered in the last six months. The first was the zero-day remote code execution vulnerability tracked as CVE-2021-35211.
Microsoft said a China-based threat group was responsible for the exploitation of the bug. It affected software companies and the U.S. defense industrial base. The vulnerability was also exploited to carry out Conti ransomware attacks and other forms of attacks on companies and institutions.
In the latest vulnerability, SolarWinds stated that Microsoft discovered an attempt to exploit the bug. The SolarWinds update noted that a threat actor was trying to log into Serv-U using the Log4J bug, but the attempt was not successful. Serv-U doesn’t use Log4J code while LDAP, the target for authentication, is not vulnerable to Log4J attacks.
