CVE-2021-35247
Published: 10 January 2022
Summary
CVE-2021-35247 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Solarwinds Serv-U. Its CVSS base score is 4.3 (Medium).
Operationally, ranked in the top 9.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability in CVE-2021-35247 is improper input validation affecting the web login screen's LDAP authentication mechanism in SolarWinds Serv-U. The component failed to sufficiently sanitize characters submitted during authentication, although the vendor notes that downstream LDAP servers ignored the improper input and no further impact was observed in practice. The issue is tracked under CWE-20 with a CVSS 3.1 score of 4.3.
An unauthenticated attacker can exploit the flaw over the network by supplying crafted input to the login interface, which requires user interaction such as clicking a malicious link. Successful exploitation yields limited integrity impact while leaving confidentiality and availability unaffected.
SolarWinds Serv-U release notes for version 15.3 and the associated security advisory state that the input mechanism now performs additional validation and sanitization. The vendor recommends that all customers schedule an update to the latest Serv-U version to ensure proper validation regardless of LDAP server behavior. The vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-21890
Vulnerability details
Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers ignored…
more
improper characters. To insure proper input validation is completed in all environments. SolarWinds recommends scheduling an update to the latest version of Serv-U.
- CWE(s)
- KEV Date Added
- 21 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all input to the Serv-U web login LDAP interface, eliminating the unsanitized characters that constitute the CVE-2021-35247 flaw.
Mandates timely application of the vendor patch (Serv-U 15.3+) that implements the additional input validation and sanitization required to close this vulnerability.
Requires scanning to identify the presence of the vulnerable Serv-U version so the flaw can be located and remediated before exploitation.