Admins urged to patch SolarWinds Serv-U bug against Log4j attacks

Hackers are actively exploiting the bug in the wild, according to Microsoft

Update 25/1/22: A Solarwinds spokesperson has been in touch to correct an error made in several media reports, telling us, "Serv-U does not leverage Log4J code so it is not vulnerable to Log4J attacks."

A statement from Solarwinds provides further detail.

'The activity Microsoft was referring to in their report was related to a threat actor attempting to login to Serv-U using the Log4j vulnerability, but that attempt failed as Serv-U does not utilise Log4j code and the target for authentication LDAP (Microsoft Active Directory) is not susceptible to Log4J attacks.'

Original story continues below

IT admins whose companies use SolarWinds' Serv-U file transfer application have been urged to install an update to secure their systems against a security vulnerability that threat actors are actively exploiting in the wild.

On Wednesday, Microsoft disclosed details of a security flaw in SolarWinds Serv-U software, which it said was being exploited by malicious actors to launch attacks leveraging the Log4j bugs to compromise targets.

The issue, indexed as CVE-2021-35247, is an input validation bug that could allow attackers to generate a query given some input and then send the query over the network without sanitation.

The flaw was discovered by Microsoft security researcher Jonathan Bar Or when he was monitoring attacks exploiting the security bugs in the Log4j library.

"During our sustained monitoring of threats taking advantage of the Log4j 2 vulnerabilities, we observed activity related to attacks being propagated via a previously undisclosed vulnerability in the SolarWinds Serv-U software," Microsoft Threat Intelligence Center (MSTIC) researchers said in an update to their Log4J advisory.

The bug affects Serv-U versions 15.2.5 and prior, according to researchers, and has been fixed in Serv-U version 15.3 that performs additional validation and sanitisation.

"The Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitised," SolarWinds explained in its security advisory, adding that no downstream effect as a result of the attempted abuse of the bug has been detected as the LDAP servers ignored improper characters.

The development comes as multiple threat groups continue to take advantage of the Log4j bugs to deploy malware on vulnerable machines.

This week, Akamai researchers said that they had found evidence suggesting that attackers were abusing the Log4j vulnerability in Zyxel networking devices to spread the malware used by the Mirai botnet.

Last month, Microsoft reported that hackers were attempting to deliver a new family of ransomware, dubbed Khonsari, on self-hosted Minecraft server by exploiting the critical Log4jShell bug.

The Belgian Ministry of Defence also confirmed a cyber attack on its computer network in December that exploited the Log4j vulnerability.

Threat actors have also attempted to exploit Serv-U security bugs in the past to carry out malicious activities.

In July, SolarWinds released a patch for a previously unknown zero-day bug that was exploited by a single threat actor in attacks targeting a limited number of customers.

The remote code execution bug, which was tracked as CVE-2021-35211, impacted Serv-U Managed File Transfer and Serv-U Secure FTP tools, which are used to manage remote file servers.

SolarWinds said that CVE-2021-35211 was "completely unrelated" to 2020's massive cyber espionage campaign, in which alleged Russian hackers exploited a vulnerability in SolarWinds' Orion software to break into the computer networks of several government agencies and private firms.

At the time, hackers inserted malicious code into legitimate software updates for the Orion software, which allowed them remote access into the networks of multiple US government departments and private companies.

The White House blamed Russia for the intelligence coup and sanctioned several Russian officials and organisations in April. Russia denied the allegations, saying it had no involvement in the hack.