Microsoft identifies attackers targeting an unknown SolarWinds vulnerability, according to Log4J

While monitoring threats connected to Log4J vulnerabilities, Microsoft researchers uncovered a previously unknown vulnerability in the SolarWinds Serv-U programme.

On Twitter, Jonathan Bar Or revealed that when looking for a Log4J vulnerability, he observed assaults originating from serv-u.exe.

“Taking a deeper look found that you can give Ssrv-U data and it will generate an LDAP query using your raw data! This might be used for LDAP injection as well as log4j attacks “he penned

“Solarwinds reacted quickly, investigated, and resolved the #vulnerability. Their reaction time is the fastest I’ve ever seen, and they’ve done an incredible job!”

Later, Microsoft issued a blog post on the vulnerability, which is designated as CVE-2021-35247, describing it as a “input validation vulnerability that might enable attackers to compose a query given some data and transmit that query over the network without sanitation.”

SolarWinds said in its alert that the Serv-U online login page for LDAP authentication was accepting characters that had not been properly sanitised.

“The input process has been upgraded by SolarWinds to provide further validation and sanitization. Because the LDAP servers disregarded erroneous characters, there was no downstream effect “It affects 15.2.5 and older versions, according to the business.

Ray Kelly of NTT Application Security told that the vulnerability shocked and frightened him, especially because SolarWinds is coming off a hack that impacted thousands of customers.

“Given that the Log4j vulnerability was disclosed in December, SolarWinds should have prioritised this Open Source issue. While it looks that SolarWinds was not vulnerable to the vulnerability being exploited, it’s still not something you want in your programme “Kelly said.

“Almost all application security tools can detect the Log4j vulnerability, allowing developers to easily identify and resolve the problem.”

Customers should implement the security patches described in the SolarWinds warning, and they may utilise their tools to detect and repair devices that contain the vulnerability, according to Microsoft. They also highlighted that Microsoft Defender Antivirus and Microsoft Defender for Endpoint recognise activity-related behaviour.

Microsoft’s warning and SolarWinds’ swift reaction time, according to Netenrich’s John Bambenek, offer a solid example of how vulnerabilities should be addressed.

“This is the sort of vulnerability and research collaboration we need,” Bambenek added, “where a large tech business with insight into the assaults contacts the software company and a cure is expedited to production.”