What is Log4Shell Vulnerability?
If you have ever played or heard about the game Minecraft, then the chances are high that you would have also come across the term ‘Log4Shell exploit, which is one of the worst attacks to hit a game. This exploit also known as the “zero-day exploit” allowed malicious players to take control of other Minecraft player’s systems.
Since its existence was completely unknown to the players in the initial stages, many Minecraft accounts were compromised and held hostage by malicious actors.However, the first instance of such an exploit was reported by the Alibaba security group in November 2021.
But what exactly is Log4Shell vulnerability and why should we be careful about it. Let’s find out in this post.
Table of Contents
- What is Log4Shell vulnerability?
- How is Log4Shell vulnerability exploited?
- How is Log4j vulnerability exploited?
- How to prevent Log4j vulnerability?
- Closing Thoughts
What is Log4Shell?
Log4Shell is a Log4j vulnerability. To the uninitiated Log4j is an open-source logging library, used in applications and services across the internet. The Log4j vulnerability (Log4Shell) can be used to break into systems, steal passwords, retrieve data and infect the network with malicious software. Also, since Log4j is widely used in several software applications and services across the world, exploiting its vulnerability requires little expertise.
Log4j records events, errors, and routine system operations, communicating diagnostic messages to system administrators and users. A good instance of Log4j in action would be when you click on a bad link, and it says 404 and denies a connection request. This diagnostic message is sent through by log4j to your browser. It also records the event in a log file and sends it to the system administrator using Log4j.
Almost all applications will have the ability to keep track of all the changes in the software applications and services. This activity is called logging and helps developers keep track of all changes in the online services and applications.
This exploit was not just confined to Minecraft but also to other platforms such as iCloud, Twitter, and Amazon. As Log4j extends to almost all software applications and online services, a wide array of services gets affected if not taken care of it. Not just individuals, even large enterprises dealing with a lot of web servers and hardware are affected leaving them unprotected and vulnerable to malicious actors.
How is Log4j vulnerability exploited?
Before we answer this question, you need to know about LDAP and JNDI
LDAP is an open application protocol used to save and access distributed application directory information services. In simple words, imagine you are logging in with your username and password in a business application. This is where LDAP comes into the picture. It saves your username and password, informs the authorization server when you are logging in again, and returns the username from user accounts, that match your username and password. In summary, LDAP is a lightweight directory used to query user information rapidly.
JNDI provides an API for the business application to connect/interact with the LDAP server. This is because JNDI cannot directly access the LDAP server.
So now let's get to the part of how Log4j vulnerability can be exploited.
Log4j allows the logging of messages that contain format strings, which, in turn, reference any external information through the Java naming and directory interface. This allows retrieving information by using the lightweight LDAP. The contents of these log messages usually contain user-controlled data and attackers can insert JNDI references pointing to LDAP servers, that is ready to serve any queries they want.
Consider an example of a log message like the one below.
The above log message instructs JNDI to interact with the LDAP server at the “anonymous server” requesting the exploit object. By default, JNDI executes Java classes that LDAP references. If the LDAP server’s response includes the URL https://anonymous server/exploit, then JNDI requests the exploit file from the web server and executes the response. At this juncture, you have achieved Remote Code Execution (RCE) from your application. RCE involves the attacker executing malicious commands remotely on the target computer.
How to prevent Log4j vulnerability?
- Firewalls - Using outgoing firewall rules is a good way to hold the attackers at bay. Outbound firewall protects against outgoing traffic including requests. Also if the server can make DNS lookups and the attacker scans for vulnerabilities in Log4j, the DNS lookup will be triggered. Although attackers can easily bypass firewalls, blocking outgoing requests can surely provide a good degree of security.
- Update regularly - Apache has already patched this existing vulnerability, with the 2.16.0 version being the latest one and all the versions below 2.16.0 being vulnerable to remote code execution attacks.
- Use a Log4j scanner - You can use the Log4j scanning tool, which is accurate, automated, and reliable for detecting Log4j RCE vulnerabilities. You can download Log4j-scan from the Github repository and clone it.
- Threat hunting and alerts - The National Cybersecurity Center (NCSC) recommends setting up alerts and warnings in devices running Log4j.
- Blocking dangerous character strings - By identifying and blocking malicious character strings, especially on upstream devices like a web application firewall, you can protect your devices running Log4j.
Log4j has taken the IT world by storm, and there is no one-size-fits-all solution for this vulnerability. This vulnerability always existed but was overlooked until it was discovered in 2020. All major Java-based enterprises use Log4j and hence this vulnerability affects most online services and applications. Although online vendors claim to have patched this vulnerability through updates, security researchers and defense teams are not sure of how reliable their claim is. So end-users should take care of Log4j vulnerability by following the above tips.