Microsoft Finds SolarWinds Vulnerability Amid Log4j SearchTech Giant Discloses Serv-U Software Flaw to SolarWinds, Which Issues Patch
Microsoft researchers tracking Apache Log4j exploits last week discovered a previously undisclosed vulnerability in SolarWinds' Serv-U software, which the firm has since confirmed and patched.
Jonathan Bar, a security researcher with the tech giant, last week tweeted, "When hunting for log4j exploit attempt I noticed attacks coming from serv-u.exe. Taking a closer look revealed you could feed Ssrv-U with data and it'll build a LDAP query with your unsanitized input! This could be used for log4j attack attempts, but also for LDAP injection."
In a follow-up post, however, Bar wrote, "Solarwinds immediately responded, investigated, and fixed the #vulnerability. Their response is the quickest I've seen, really amazing work on their part!"
On its blog, Microsoft later expanded on the findings, writing: "We discovered that the vulnerability, now tracked as CVE-2021-35247, is an input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation."
Microsoft confirmed that it had reported the discovery to SolarWinds, adding, "We'd like to thank their teams for immediately investigating and working to remediate the vulnerability." The company also points users to its Defender for Endpoint solution to identify and remediate devices that have the vulnerability.
And in an advisory, SolarWinds confirms: "The Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please note: No downstream affect has been detected as the LDAP servers ignored improper characters."
The firm urges customers to update to its latest version of Serv-U, which is 15.3, to combat the latest discovery. Previously, a wide-scale SolarWinds breach in 2020, carried out by Russian nation-state group Nobelium via a corrupted software update, affected some 100 organizations globally and nine federal agencies (see: 7 Takeaways: Supply Chain Attack Hits SolarWinds Customers).
Experts Praise Speed
To some security experts, the disclosure-to-patch process on this case, which took two days, was impressive.
"This is the kind of research and vulnerability cooperation we need, where a major technology company with visibility to see the attacks reaches out to the software company and a fix is quickly rushed to production," John Bambenek, principal threat hunter at Netenrich, tells ISMG.
Still, others say the flaw came as a surprise.
"Not only is this surprising, it is also concerning as SolarWinds is coming off their previous breach," says Ray Kelly, a fellow at NTT Application Security. "While it appears that SolarWinds was not susceptible to have the vulnerable component exploited, it's not something you want in your software product."
Ongoing Exploit Attempts
The remote code execution vulnerability in the Java-based logging utility Log4j was first reported Dec. 9, after allegedly being detected by Alibaba's cloud security unit. The Apache Software Foundation, the nonprofit that manages Apache's open-source projects, continued to push out semi-regular updates for the logging library.
Now, attackers have also been actively targeting Log4j vulnerabilities in the servers of virtualization solution VMware Horizon, to establish persistent access via web shells, according to officials at the U.K. National Health Service (see: Log4Shell Update: VMware Horizon Targeted).
The web shells could allow unauthenticated attackers to remotely execute commands on a server affected by Log4Shell vulnerabilities to establish persistence within affected networks, the NHS warns in an alert, adding that an attacker can use these web shells to deploy malicious software or ransomware and exfiltrate data.
Warning From Dutch Officials
Also last week, the Dutch National Cyber Security Center issued a stark warning to security practitioners, saying: Don't lose sight of Log4j exploits, as more attacks are likely in the works.
In an advisory, the NCSC says, "Partly due to the rapid actions of many organizations, the extent of active abuse appears to be not too bad at the moment. But that doesn't mean it stops there. It is expected that malicious parties will continue to search for vulnerable systems and carry out targeted attacks in the coming period. It is therefore important to remain vigilant."
In the post, Dutch officials advise organizations to "continue to monitor whether vulnerable systems are used and to apply updates or mitigating measures where necessary."
And NCSC officials add, "Log4j has already taught us a valuable lesson: how important it is to collectively get an even better grip on the software we use."
Earlier this month, reports indicated that attackers were wielding Night Sky ransomware to exploit vulnerabilities in the widely used Apache software. This came just weeks after Apache's first public alert that the critical flaw in the Java Naming and Directory Interface API could be exploited to take control of a vulnerable system.
U.S. Cybersecurity and Infrastructure Security Agency Director Jen Easterly said in a press conference this month that federal activity to patch or mitigate Log4j has been "exceptional" and that "we're really tackling the challenge with an unprecedented level of operational collaboration" (see: CISA: Federal Response to Log4j Has Been 'Exceptional').
Easterly confirmed that there has been widespread exploitation of Log4j by criminal actors and that adversaries may have already compromised systems and could be waiting to leverage their access once network defenders are on "lower alert" - language that matches the Dutch advisory.
Also this month, and in response to Log4j, the White House hosted tech leaders and federal agencies in a summit to discuss ways to improve open-source software security (see: White House Hosts Open-Source Security Summit With Big Tech).
A senior administration official told ISMG that the objective of the meeting was to "facilitate an important discussion" around open-source software, which is widely used and can be inspected, modified and enhanced by developers.
Organizations in attendance included Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook/Meta, GitHub, Google, IBM, Linux Open Source Foundation, Microsoft, Oracle, RedHat and VMware.
U.S. agencies and departments in attendance included the departments of Commerce, Homeland Security, Energy and Defense; CISA; the Office of the National Cyber Director; the National Institute of Standards and Technology; the Office of Science and Technology Policy; and the National Science Foundation.