UPDATE--Microsoft has identified a new vulnerability in SolarWinds Serv-U that some attackers have been trying to exploit in Log4Shell attacks, though those attempts have failed because the vulnerable Log4j codes is not present in Serv-U.
The weakness is in the SolarWinds Serv-U application, which is a managed FTP platform, and Microsoft researchers identified attackers exploiting it while monitoring the attacks on Log4J flaws. Microsoft said the vulnerability was previously unknown and the company reported it to SolarWinds, which released an updated version.
“During our sustained monitoring of threats taking advantage of the Log4j 2 vulnerabilities, we observed activity related to attacks being propagated via a previously undisclosed vulnerability in the SolarWinds Serv-U software. We discovered that the vulnerability, now tracked as CVE-2021-35247, is an input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation,” Microsoft said in its advisory.
The vulnerability affected versions 15.2.5 and earlier of Serv-U, and is fixed in version 15.3.
“The Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers ignored improper characters,” the SolarWinds advisory says.
Since the initial disclosure of the first Log4Shell vulnerability in December, several others have been discovered in the Apache Log4J logging tool, and many third-party vendors have found that their own applications that include vulnerable versions of the tool are open to attack, as well. The remediation effort by vendors and enterprise security teams has been extensive, and attacks and scanning for vulnerable hosts have been ongoing for weeks.
Researchers at GreyNoise, which monitors the Internet for scanning activity, said benign and malicious scanning is still occurring.
“As of January 2022, a month after initial CVE announcement, GreyNoise still observes a significant volume of traffic related to the Log4j vulnerability. This traffic is primarily composed of generic JNDI string exploit attempts with known obfuscations,” GreyNoise said.
“One of the interesting patterns we saw during the first few days of the Log4j “scan-and-exploit” outbreak was a huge surge in benign actors scanning for the vulnerability.”
_This article was updated on Jan. 21 to clarify that Serv-U is not vulnerable to the Log4Shell attacks. _