Log4j: Three Flaws and Counting

“With the attention CVE-2021-44228 has received, I wouldn’t be surprised if we saw a third CVE related to #Log4j2,” Valtix Senior Security Analyst Davis McCarthy said last week. Those prophetic words turned out to be true just hours after McCarthy uttered them.

Apache quickly released a patch for CVE-2021-45105, a DoS vulnerability related to Context Map lookup. And while its severity level (7.5) is not as high as that of the original Log4Shell (10.0), it’s still concerning to the security community. If exploited, a DoS attack can be in the offing.

“This vulnerability has been keeping a lot of security professionals up at night,” said Tom Garrubba, CISO, shared assessments—and with good reason. “Log4j is used all throughout the internet and affects multiple applications and systems with deep roots,” he said. “Sadly, it appears this is going to affect organizations continuously into the future as they identify more items that are affected by this vulnerability.”

Bitdefender said that hackers were targeting Windows machines to exploit CVE-2021-44228, which affects Log4j versions 2.0-beta9 to 2.14.1. The would-be attackers were looking to spread Khonsari, a new ransomware, as well as Orcus, a known remote access Trojan. The attack downloads an additional a .NET binary that encrypts files using the extension “.khonsari.”

But wait—there’s more. Last week was a busy one. The Blumira research team uncovered yet another attack vector in the Log4j vulnerability that exploits a basic Javascript WebSocket connection to trigger the RCE locally via drive-by compromise.

Initially, researchers believed that Log4j’s impact would just be felt on exposed vulnerable servers. But the attack vector discovered by Blumira proved that miscreants can exploit any vulnerable version of Logj4 via listening servers on a machine or on a local network by triggering the vulnerability while browsing a website. The attack vector is threatening in part because it is hard to gain visibility into WebSocket connections within the host, making detection even more complex.

While WebSockets previously have been used for port scanning internal systems, the new flaw “represents one of the first remote code execution exploits being relayed by WebSockets,” said Jake Williams, co-founder and CTO at BreachQuest.

Variants popped up last week amid fears that a worm exploiting the flaw was on the horizon. “A wormable exploit is definitely a valid scenario here—we already see cases where the Log4Shell vulnerability is used by ‘common’ cybercrime-related operations in order to spread ransomware and other common mischief,” said Yaniv Balmas, vice president of security research at Salt Security. “Judging from past experience, it is very likely someone will decide to embed this vulnerability into a worm which will be almost impossible to stop once it reaches critical mass. You must remember that we are still seeing artifacts from similar worms that were launched years ago, even today.”

Talk of worms likely conjures up memories of the devastation caused by WannaCry in 2017. “When security teams think of the threat posed by worms, immediate thoughts will almost always go to the WannaCry incident of 2017, which caused absolute chaos amongst Windows operating systems across a broad spectrum of the security industry,” said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows. “While it’s possible that we could see a worm developed to spread among susceptible Log4j devices, there hasn’t been any evidence to suggest this is a priority for threat actors at this time.”

The WannaCry incident “saw a perfect storm of a highly exploitable vulnerability coinciding with an NSA-level exploit breach in EternalBlue,” said Morgan. “It’s still very much early days with regards to Log4j. While many threat actors will likely be at different stages of the kill chain, most actors will likely still be scanning for susceptible systems, attempting to establish a foothold, and identifying further opportunities, depending on their motivations.”

While the impact of a worm shouldn’t be downplayed, Balmas said “that might not be the worst scenario, because of the unbelievable ease with which [the Log4Shell] attack can be applied.”

“Everyone with a basic computer and internet access could launch an attack against millions of online services within minutes,” he said.

“This achieves quite a similar impact as a worm—it is distributed and unpredictable and the damage extent might even be higher than a worm since a worm works ‘blindly’ in an automated manner,” Balmas noted. “In this other scenario, there are actual humans behind the attacks which may target specific entities or institutions and enable attackers to fine-tune their attacks as they progress.”

“Cybercriminals regularly take advantage of new vulnerabilities, especially ones as wide-ranged as Log4Shell. Critically, most organizations are still in the process of responding to the announcement,” Stephanie Simpson, vice president of product management at SCYTHE, said of the Conti attacks on VMWare.  “They haven’t had adequate time to test their security controls, especially when trying to look for new TTPs using this vulnerability.”

And, indeed, researchers have discovered yet another, previously inactive ransomware family, TellYouThePass, attempting to exploit Log4Shell. “Companies are going to need to assume breach and be proactive over the next few days, and we will likely see an uptick in these attacks through early 2022, at the very least,” said Simpson.

The discovery of a third flaw and all the danger signs before and after have caught the attention of senior leadership on the business side. “The executives and board members are also gaining interest as to how this will affect them as well,” said Garrubba.

John Bambenek, principal threat hunter at Netenrich, believes the latest flaw may not get the lion’s share of attention. “While significant, attackers will likely favor the remote exploit versus the local one,” said Bambenek. “That being said, this news does mean that relying on WAF or other network defenses, is no longer an effective mitigation. Patching remains the single most important step an organization can take.”

“This shouldn’t change anyone’s position on vulnerability management, though,” said Williams. “Organizations should be pushing to patch quickly and mitigate by preventing outbound connections from potentially vulnerable services where patching is not an option.”

Garruba agreed, saying, “The best path you can take right now is to stay alert for all patches that are coming out to address this vulnerability and put them into place immediately.”

But stopping Log4Shell and other vulnerabilities in their path—and preventing them in the first place—will likely require a much broader shift for many organizations. “If we’ve learned anything from the past year, it’s that organizations are struggling to reduce time-to-detect and remediate because they don’t have a way to continuously improve people, processes and technologies,” said Simpson.

“Instances like this really demonstrate the power of crowdsourced security and collaboration,” said Rickard Carlsson, Detectify co-founder and CEO. “Within hours of receiving a proof-of-concept for the Log4j vulnerability from one of the ethical hackers in our community, we were running it as a security test in our customers’ systems. Companies that rely solely on internal research teams and test against known CVEs are in a much tougher position when things like this happen.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson