Trustwave said it intends to release a proof-of-concept (PoC) code next week on February 9.Ĭhief among the vulnerabilities uncovered by Trustwave includes improper use of Microsoft Messaging Queue ( MSMQ), which is used heavily by the SolarWinds Orion Collector Service, thereby allowing unauthenticated users to send messages to such queues over TCP port 1801 and eventually attain RCE by chaining it with another unsafe deserialization issue in the code that handles incoming messages.
SOLARWINDS VULNERABILITY INSTALL
It's highly recommended that users install the latest versions of Orion Platform and Serv-U FTP ( 15.2.2 Hotfix 1) to mitigate the risks associated with the flaws. MSTIC strongly recommended that affected customers apply the SolarWinds security updates.The two sets of vulnerabilities in Orion and Serv-U FTP were disclosed to SolarWinds on December 30, 2020, and January 4, 2021, respectively, following which the company resolved the issues on January 22 and January 25. On Tuesday, Akamai researchers also reported that they’ve detected evidence of the unauthenticated remote code execution (RCE) vulnerability in Log4j – tracked as CVE-2021-44228 – being adapted to infect and assist in the proliferation of malware used by the Mirai botnet by targeting Zyxel networking devices. The Serv-U attacks are just the latest in the rampant Log4j exploit attempts and testing that have been thrown at the multiple flaws in Apache’s Log4j logging library since those flaws were disclosed – and came under near-immediate attack – last month.
SolarWinds said that it hasn’t seen any “downstream ” of the bug, given that “the LDAP servers ignored improper characters.”įor its part, MSTIC didn’t give details about the attack it observed. “This could be used for log4j attack attempts, but also for LDAP injection.”Ī SolarWinds representative told Threatpost that the attacker wasn’t able to login to Serv-U, and that the Microsoft researcher was referencing attempted logins that failed, since Serv-U doesn’t leverage Log4J code. “Taking a closer looked revealed you could feed Serv-U with data and it’ll build a LDAP query with your unsanitized input!” he said. Microsoft security researcher Jonathan Bar Or, credited with discovering the bug, explained that he had seen attacks coming from serv-u.exe while hunting for log4j exploit attempts. “The Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized,” SolarWinds said in its advisory, adding that it had updated the input mechanism “to perform additional validation and sanitization.” SolarWinds fixed the vulnerability in Serv-U version 15.3, released on Tuesday. The bug, discovered by Microsoft’s Jonathan Bar Or, affects Serv-U versions 15.2.5 and prior. The SolarWinds vulnerability, tracked as CVE-2021-35247, is an input validation flaw that could allow attackers to build a query, given some input, and to send that query over the network without sanitation, Microsoft’s Threat Intelligence Center (MSTIC) said. The attempt failed, given that Serv-U doesn’t use Log4j code and the target for authentication – LDAP (Microsoft Active Directory) – isn’t susceptible to Log4j attacks. SolarWinds subsequently reached out to Threatpost and other news outlets on Thursday to clarify that Microsoft’s report referred to a threat actor attempting to login to Serv-U using the Log4j vulnerability.
SolarWinds had issued a fix the day before, on Tuesday.
SOLARWINDS VULNERABILITY SOFTWARE
This is a confusing story: Initially, Microsoft had warned on Wednesday that attackers were exploiting a previously undisclosed vulnerability in the SolarWinds Serv-U file-sharing software to propagate Log4j attacks against networks’ internal devices via the SolarWinds bug. Attackers are trying to log in to SolarWinds Serv-U file-sharing software via attacks exploiting the Log4j flaws.
0 kommentar(er)
