CVE-2021-35247
published 2022-01-10CVE-2021-35247: Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to…
PriorityP276medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-02-04
Exploited in the wild
EPSS
3.36%
87.2th percentile
Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers ignored improper characters. To insure proper input validation is completed in all environments. SolarWinds recommends scheduling an update to the latest version of Serv-U.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | serv-u | < 15.3 | 15.3 |
| solarwinds | serv-u | >= 15.2.5 and previous versions < 15.3 | 15.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Target application is SolarWinds Serv-U web login screen; monitor for unsanitized/malformed characters submitted to the LDAP authentication input fields on the Serv-U web login endpoint ↗
- →Monitor for crafted LDAP queries originating from Serv-U (versions 15.2.5 and earlier) that contain unexpected or special characters, indicative of unsanitized query construction ↗
- ·LDAP servers in tested environments silently ignored the improper characters, meaning exploitation may produce no downstream error or anomaly on the LDAP server side — passive LDAP-side logging alone is insufficient for detection ↗
- ·Affected versions are Serv-U 15.2.5 and earlier; ensure asset inventory accurately reflects installed Serv-U version to scope detection and patching efforts ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck4.3MEDIUM
cisa5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
SolarWinds Serv-U Improper Input Validation Vulnerability
cisa·2022-01-21·CVSS 5.3
CVE-2021-35247 [MEDIUM] CWE-20 SolarWinds Serv-U Improper Input Validation Vulnerability
Vulnerability: SolarWinds Serv-U Improper Input Validation Vulnerability
Affected: SolarWinds Serv-U
SolarWinds Serv-U versions 15.2.5 and earlier contain an improper input validation vulnerability that allows attackers to build and send queries without sanitization.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-35247
Remediation Due Date: 2022-02-04
GHSA
GHSA-jqwj-9jvg-583v: Serv-U web login screen was allowing characters that were not sanitized by the authentication mechanism
ghsa_unreviewed·2022-01-11
CVE-2021-35247 [CRITICAL] CWE-20 GHSA-jqwj-9jvg-583v: Serv-U web login screen was allowing characters that were not sanitized by the authentication mechanism
Serv-U web login screen was allowing characters that were not sanitized by the authentication mechanism. SolarWinds has updated the authentication mechanism to remedy this issue and prevent unauthorized parameters to be used in the Serv-U login screen With the Log4j issue in the wild, input fields across the internet have been tested for vulnerability. Although Serv-U was not affected by the log4j issue, It was discovered that better input validation could be implemented.
VulnCheck
SolarWinds Serv-U Improper Input Validation Vulnerability
vulncheck·2021·CVSS 4.3
CVE-2021-35247 [MEDIUM] CWE-20 SolarWinds Serv-U Improper Input Validation Vulnerability
SolarWinds Serv-U Improper Input Validation Vulnerability
SolarWinds Serv-U versions 15.2.5 and earlier contain an improper input validation vulnerability that allows attackers to build and send queries without sanitization.
Affected: SolarWinds Serv-U
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.microsoft.com/en-us/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.mandiant.com/resources/blog/zero-days-exploited-2022
Remediation Due: 2022-02-04
No detection rules found.
No public exploits indexed.
https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-3_release_notes.htmhttps://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-3_release_notes.htmhttps://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-35247
2022-01-10
Published
2022-01-21
Added to CISA KEV
Exploited in the wild