New local attack vector expands the attack surface to Log4j vulnerability

New local attack vector expands the attack surface to Log4j vulnerability

Cybersecurity researchers have discovered a whole new attack vector that enables opponents to exploit the Log4Shell vulnerability on servers locally using a JavaScript WebSocket connection.

“This newly discovered attack vector means that anyone with a vulnerable Log4j version on their computer or local private network can surf a Web site and potentially trigger the vulnerability,”[ads1]; said Matthew Warner, CTO at Blumira. “At this time, there is no evidence of active exploitation. This vector significantly expands the attack surface and can affect services that even run as local hosts that were not networked.”

WebSockets allow bidirectional communication between a browser (or other client application) and a server, as opposed to HTTP, which is one-way where the client sends the request and the server sends the response.

While the issue can be resolved by updating all local development and Internet-facing environments to Log4j 2.16.0, on Friday Apache rolled out version 2.17.0, which fixes a denial of service (DoS) trace as CVE-2021-45105 (CVSS score: 7.5), making it the third Log 4j2 error that occurs after CVE-2021-45046 and CVE-2021-44228.

Automatic GitHub backups

The complete list of errors discovered to date in the logging framework after the original remote code execution error was revealed is as follows –

  • CVE-2021-44228 (CVSS score: 10.0) – A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1 (fixed in version 2.15.0)
  • CVE-2021-45046 (CVSS score: 9.0) – An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, except 2.12.2 (fixed in version 2.16.0)
  • CVE-2021-45105 (CVSS score: 7.5) – A denial of service issue affecting Log4j versions from 2.0-beta9 to 2.16.0 (fixed in version 2.17.0)
  • CVE-2021-4104 (CVSS score: 8.1) – An unreliable deserialization error affecting Log4j version 1.2 (no fix available; upgrade to version 2.17.0)

“We should not be surprised that additional vulnerabilities were discovered in Log4j given the extra specific focus on the library,” said Jake Williams, CTO and co-founder of the emergency response company BreachQuest. “Like Log4j, the original PrintNightmare vulnerability revelation this summer led to the discovery of several other distinct vulnerabilities. The discovery of additional vulnerabilities in Log4j should not cause concern for the security of log4j itself. If anything, Log4j is more secure due to the extra attention from researchers . “

The latest development comes as a number of threatening actors have gathered the Log4j bugs to launch a series of attacks, including ransomware infections involving the Russia-based Conti group and a new ransomware strain called Khonsari. Moreover, the log4j remote code execution error has also opened the door to a third ransomware strain known as TellYouThePass which is used in attacks against Windows and Linux devices, according to researchers from Sangfor and Curated Intel.

Bitdefender Honeypots signals active Log4Shell 0-day attacks in progress

The easy-to-use, ubiquitous vulnerability, apart from creating as many as 60 variants, has given opponents a perfect window of opportunity, with Romanian cyber-security firm Bitdefender noting that more than 50% of attacks use the Tor anonymity service to mask their true origins.

Log4j vulnerability

“In other words, threat actors exploiting Log4j direct their attacks through machines closer to their intended targets, and just because we do not see countries typically associated with cyber security threats at the top of the list, does not mean that the attacks did not occur there,” said Martin. Zugec, Director of Technical Solutions at Bitdefender.

Prevent data breaches

According to telemetry data collected between 11 December and 15 December, Germany and the United States alone accounted for 60% of all exploitation attempts. The most common attack targets during the observation period were the United States, Canada, the United Kingdom, Romania, Germany, Australia, France, the Netherlands, Brazil and Italy.

Google: Over 35,000 Java Packages Affected by Log4j Error

The development also coincides with analysis from Google’s Open Source Insights team, which found that approximately 35,863 Java packages – which account for over 8% of the Maven Central repository – use vulnerable versions of the Apache Log4j library. Of the affected artifacts, only around 7,000 packages are directly dependent on Log4j.

Log4j vulnerability

“The user’s lack of insight into their addictions and transitive addictions has made patching difficult; it has also made it difficult to determine the full blast radius of this vulnerability,” said Google’s James Wetter and Nicky Ringland. On the plus side, 2620 of the affected packages have already been targeted less than a week after the revelation.

“It will probably take some time before we understand the full outcome of the log4j vulnerability, but only because it is embedded in so much software,” Williams said. “This has nothing to do with threatening actor malware. It has to do with the difficulty of finding the countless places the library is built. The vulnerability itself will provide initial access for threatening actors who will later perform privilege escalation and sideways movement – that’s where the real the risk is. “

Source link

Back to top button