Log4j: What is the Latest Log4j Internet Threat? How bad it is and what’s at stake
Jen Easterly, director of the US-American Cybersecurity & Infrastructure Security Agency, described Log4Shell as the most serious vulnerability she has seen in her career. There have been hundreds of thousands, maybe even millions, of attempts to exploit the vulnerability.
So what is this humble piece of internet infrastructure, how can hackers exploit it, and what kind of chaos could result?
What does Log4j do?
Log4j records events – errors and routine system operations – and sends diagnostic messages about them to system administrators and users. It is open source software from the Apache Software Foundation.
A common example of Log4j at work is when you enter or click on a broken web link and get a 404 error message. The web server running the domain of the web link you tried to access tells you that there is no such website. It also records this event in a log for the server’s system administrators using Log4j.
Similar diagnostic messages are used in all software applications. For example, in the online game Minecraft, Log4j is used by the server to log activities such as total memory used and user commands entered into the console.
How does Log4Shell work?
Log4Shell works by abusing a feature in Log4j that allows users to supply custom code to format a log message. This feature allows Log4j, for example, to log not only the username associated with every attempt to log in to the server, but also the person’s real name if a separate server contains a directory linking usernames and real names. To do this, the Log4j server must communicate with the server that contains the real names.
Unfortunately, this type of code cannot be used just for formatting log messages. Log4j enables third party servers to deliver software code that can perform all kinds of actions on the target computer. This opens the door to nefarious activities like stealing sensitive information, taking control of the target system, and distributing malicious content to other users who communicate with the affected server.
Using Log4Shell is relatively easy. I was able to reproduce the problem in just a few minutes in my copy of Ghidra, a reverse engineering framework for security researchers. There is a very low limit to the use of this exploit, which means a wider range of people with malicious intent can use it.
Log4j is everywhere
One of the main concerns at Log4Shell is Log4j’s position in the software ecosystem. Logging is a fundamental feature of most software, which makes Log4j very common. In addition to popular games like Minecraft, it is used in cloud services like Apple iCloud and Amazon Web Services, as well as in a wide range of programs from software development tools to security tools.
This means that hackers have a wide range of targets: home users, service providers, source code developers, and even security researchers. While large companies like Amazon can quickly patch their web services to prevent hackers from exploiting them, there are many more organizations that are taking longer to patch their systems and some that may not even know they need to .
The damage that can be done
Hackers scan the internet to find vulnerable servers and set up computers that can deliver malicious payloads. To carry out an attack, they query services (e.g. web server) and try to trigger a log message (e.g. a 404 error). The query contains maliciously crafted text that Log4j processes as instructions.
These instructions can create a reverse shell that allows the attacking server to remotely control the target server, or they can make the target server part of a botnet. Botnets use multiple hijacked computers to perform coordinated actions on behalf of the hackers.
Many hackers are already trying to abuse Log4Shell. These range from ransomware gangs blocking Minecraft servers to hacking groups trying to mine Bitcoin to hackers connected to China and North Korea trying to gain access to sensitive information from their geopolitical rivals. The Belgian Ministry of Defense reported that its computers were attacked using Log4Shell.
Although the vulnerability first became common knowledge on December 10, 2021, people are still looking for new ways to cause harm through this mechanism.
It’s hard to tell if Log4j will be used in any particular software system as it is often bundled as part of other software. This requires system administrators to inventory their software to identify its presence. When some people don’t even know they have a problem, it is much harder to get rid of the vulnerability.
Another consequence of the many possible uses of Log4j is that there is no one-size-fits-all solution for patching. Depending on how Log4j has been integrated into a particular system, troubleshooting requires different approaches. It could require a major system update, like some Cisco routers, or upgrading to a new version of software, like Minecraft, or manually removing the vulnerable code for those unable to update the software.
Log4Shell is part of the software supply chain. Like physical items that people buy, software goes through various organizations and software packages before ending up in an end product. Generally, when things go wrong, software is “patched” instead of going through a recall process.
However, because Log4j is present in software products in different ways, distributing a fix requires the coordination of Log4j developers, developers of software using Log4j, software distributors, system operators, and users. Typically, this creates a delay between the availability of the fix in the Log4j code and the actual closing of the door to the vulnerability by users’ computers.
Some estimates of software repair time generally range from weeks to months. However, if past behavior is an indication of future performance, the Log4j vulnerability is likely to show up in the years to come.
As a user, you are probably wondering what to do about it. Unfortunately, it’s hard to tell if a software product you are using contains Log4j and if it is using vulnerable versions of the software. However, you can help by following the usual advice from computer security experts: Make sure all your software is up to date.
(This article is syndicated by AP of The Conversation)