According to Microsoft Threat Intelligence Center (MSTIC), “Hackers Targeting New SolarWinds ServTracked as CVE-2021-35247 (CVSS score: 5.3), the problem is a input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation.”
The flaw, discovered by security researcher Jonathan Bar Or, affects Serv-U versions 15.2.5 and earlier, and it has been fixed in Serv-U version 15.3.
SolarWinds reported that, ” The Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently cleaned up,” “updated the input mechanism to perform additional validation and sanitization.”
The manufacturer of IT management software also stated that, “no downstream effect has been detected as the LDAP servers ignored improper characters. It’s unclear whether the Microsoft-detected attacks were merely attempts to exploit the flaw or if they were ultimately successful”.
The reports come as multiple threat actors continue to exploit Log4Shell flaws to mass scan and infiltrate vulnerable networks in order to deploy backdoors, coin miners, ransomware and remote shells that provide persistent access for further post-exploitation activity.
Finally the researchers concluded that ,” the flaws being exploited to infect and aid in the spread of malware used by the Mirai botnet. A Chinese hacking group has previously been observed exploiting a critical security vulnerability affecting SolarWinds Serv-U (CVE-2021-35211) to install malicious programmes on infected machines”.