IT administrators whose firms use SolarWinds’ Serv-U file transfer application are being urged to install an update after the discovery of a vulnerability.
Microsoft, which discovered the bug (CVE-2021-35247), described it as an “input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation.”
The discovery came when Microsoft saw suspicious attacks during its ongoing monitoring of threats trying to take advantage of the Log4j2 vulnerabilities.
SolarWinds issued an update for Serv-U, version 15.3, to patch the bug. It said the Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. The fix updates the input mechanism to perform additional validation and sanitization.
“No downstream effect has been detected as the LDAP servers ignored improper characters,” SolarWinds added.
CLARIFICATION: SolarWinds said Microsoft’s report described a threat actor attempting to login to Serv-U using the Log4j vulnerability, but that attempt failed because Serv-U does not utilize Log4j code.
Separately, a researcher at Akamai discovered evidence in a captured binary that the Mirai botnet is trying to exploit the Log4j2 vulnerability in network devices made by Zyxel.
However, he added, the LDAP server where the exploit was hosted was no longer active when researchers attempted to download the Java payload class.
“It could be that Zyxel was specifically targeted since they published a blog stating they were impacted by the log4j vulnerability,” blog author Larry Cashdollar said. Of all its products, only the company’s NetAtlas Element Management System is vulnerable. Zyxel issued a hotfix on Dec. 20, 2021, and full patches will be available at the end of February.
“The interesting thing about this malware is if you have automated string extraction utilities for malware samples that log to a vulnerable Log4j instance, this payload could execute,” he added. “Doing so could possibly, depending on your setup, infect your malware analysis system. Again, patching your vulnerable systems is the key here to protect your servers from compromise.”
