• Perspective
Published on 28 January 2022

Présentation vulnérabilité Log4Shell

A new cyber risk was discovered by Alibaba Cloud Security teams on 24/11. This has led since 10/12 to a large number of attacks reported after the exploit was published on GitHub. This CVSS vulnerability of criticality 10 was announced under the name Log4Shell (CVE-2021-44228).

The vulnerability affects the Apache Log4j library, a ubiquitous Java package for millions of applications. In this article, you will find a presentation of the affected library, the potential impacts on your IS and the exploitation methods of the vulnerability, as well as the remedies to protect yourself.

1. Log4j?

Apache Log4j is a powerful logging library, distributed by the Apache Foundation through an open-source GitHub project. This means that it is maintained by a few members who use their free time to develop free applications for which you don't have to pay.

The Log4j utility is used in countless programs, as Sean Gallagher, senior threat researcher at Sophos, points out: "Log4j is a Java library that is used by many products. It specialises in event logging for applications. It can therefore be present in the darkest corners of an organisation's infrastructure, for example, any software developed in-house. Systems vulnerable because of Log4Shell should be a priority for IT security."

2. Vulnerabilities related to Log4j

The Zero Day vulnerability, nicknamed Log4Shell due to its possible exploitation, was quickly published as CVE-2021-44228.

As stated in the report by the LunaSec team of cyber security researchers, this vulnerability first found through a (multiplayer) server of the Minecraft video game, can affect anyone using the Log4j library and its packages (Log4j-core, Log4j-api, etc.) between version 2.0-beta9 and version 2.14.1, which gives an even greater attack scope.

A second article published by LunaSec describes the steps to follow to check if a system is vulnerable

(https://www.lunasec.io/docs/blog/Log4j-zero-day-mitigation-guide/).

The CVSS score ranked the Log4Shell vulnerability at 10, as a "critical" vulnerability. The criticality lies in the following areas:

- The Log4j exploit is easy to implement. A novice developer is able to perform it.

- The attack surface.

- Use in unauthenticated mode.

The scale is so large that very popular cloud services such as Steam or Apple iCloud would potentially be affected. It is important to know that even without directly using the Log4j library, one can be confronted with the vulnerability, as several frameworks such as Apache Struts, Druid, ElasticSeach, Kafka can depend on Java and its libraries, and are probably affected by this vulnerability. As a security measure, some prefer to take the site offline, as is the case in Quebec where nearly 4,000 government sites and services have been taken offline for security reasons.

The degree of impact of the attacker is defined by the privileges associated with the corrupted systems or services. With full user rights an attacker would have RCE (Remote Control Execution), he would have the freedom to install programs, display, or even delete data. Conversely, the corruption of systems with lesser rights reduces the attacker's impact.

Moreover, a user has published on GitHub a complete PoC, and updated since the publication of the vulnerability (https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce), which makes the exploitation of this Log4Shell totally public and accessible to all.

Type of vulnerability: Injection (JNDI Lookup

1. Scan to identify vulnerable systems

2. Injection of malicious data through the JNDI component

3. Loading of malicious code into the vulnerable system

4. Compromise the vulnerable system and perform malicious actions: cryptojacking, Ransomware installation, building a Botnet

The following are the steps to be applied in relation to each stage of this pathway:

Step 1: Reduce the verbosity of applications exposed on the Internet

Contact the editors of my application solutions to check if they are exposed to this vulnerability and if a patch is available.

Step 2: Set up filters in your application firewalls (WAF) to block exploitation attempts

Prioritise patch management with version 2.16.0

Step 3: Filter and log outgoing server flows to limit them to authorised flows to trusted services (network hardening)

Step 4: Improve detection by performing an in-depth analysis of network logs (HTTP logs, DNS, etc.)

5. Log4Shell remediation

Cyber security professionals and Apache encourage users to quickly upgrade to version 2.16.0 where possible.

If technical teams are unable to do so, several other remedies are available to mitigate the vulnerability:

1. Between versions 2.10.0 and 2.15:

- Change the Log4j2.formatMsgNoLookups configuration parameter to TRUE.

or

- Remove the JndiLookup class in the classpath parameter to eliminate the main attack vector (researchers do not rule out the existence of another attack vector).

2. For versions prior to 2.10.0: modify the format of events to be logged with the syntax %m{nolookups} for data that would be provided by the user.

These manual remediation options above, can potentially impact the SOC (Security Operations Center) of companies because the SIEMs use this library and the new log formatting leads to malfunctioning of the event parsing.

There are also solutions that will allow you to fine-tune your security:

1. Update the IP blacklist of your defence systems based on :

- Threat Intelligence from manufacturers

- IP addresses of known malicious sources

2. Update the security equipment (F5, Fortigate ...) with the new rules predefined by the manufacturers based on the IOC of the vulnerability.

This vulnerability highlights the dependence of companies and software publishers on Free Software projects. The contributors of this Log4j library may not be paid for these projects and their support and responsiveness depend only on their own involvement.

(Source xkcd)

6. EVABSSI support

At EvaBSSI, we make Cyber Risk one of our priorities to support our clients' IS Performance. The Cyber Diagnostic is a set of technical and functional security tests with the following objectives

- Assess the overall security maturity

- Analyse the risks of the audited assets

- Propose an action plan to mitigate the identified risks

The audit consists of measuring and analysing the risks according to 8 security domains:

With this approach, we support you in creating a 360° vision of your IS and help you strengthen its security.

Thomas BOUVET, Othmane ERRAJI, Kevin FLORO, Mehdi SADOUN

Sources

https://blog.cloudflare.com/how-cloudflare-security-responded-to-Log4j2-vulnerability/ https://www.cert.ssi.gouv.fr/alerte/CERTFR-2021-ALE-022/

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

https://en.wikipedia.org/wiki/Java_logging_framework https://en.wikipedia.org/wiki/Log4j https://logging.apache.org/Log4j/2.x/index.html https://www.jmdoudoux.fr/java/dej/chap-jndi.htm https://cyberwatch.fr/cve/cve-2021-44228-log4shell-comment-detecter-et-corriger-cette-vulnerabilite-sur-Log4j/

https://logging.apache.org/Log4j/2.x/manual/lookups.html https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592 https://www.lunasec.io/docs/blog/Log4j-zero-day) https://www.cert.ssi.gouv.fr/alerte/CERTFR-2021-ALE-022/ https://nakedsecurity.sophos.com/2021/12/13/log4shell-explained-how-it-works-why-you-need-to-know-and-how-to-fix-it/

https://support.f5.com/csp/article/K19026212 https://www.truesec.com/hub/blog/apache-log4j-injection-vulnerability-cve-2021-44228-impact-and-response https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228

Article written by
Tristan Loret