Author Topic: Log4j CVE-2021-44228  (Read 3056 times)

0 Members and 1 Guest are viewing this topic.

Offline madires

  • Super Contributor
  • ***
  • Posts: 7049
  • Country: de
  • A qualified hobbyist ;)
Re: Log4j CVE-2021-44228
« Reply #25 on: December 18, 2021, 11:42:45 am »
Security firm Blumira discovers major new Log4j attack vector: https://www.zdnet.com/article/security-firm-blumira-discovers-major-new-log4j-attack-vector/
Quote
A basic Javascript WebSocket connection can trigger a local Log4j remote code attack via a drive-by compromise.
 

Offline magic

  • Super Contributor
  • ***
  • Posts: 5384
  • Country: pl
Re: Log4j CVE-2021-44228
« Reply #26 on: December 18, 2021, 05:48:10 pm »
Why post blog spam if there is the original article by people who actually know what they are talking about? ;)
https://www.blumira.com/analysis-log4shell-local-trigger/
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 11215
  • Country: fr
Re: Log4j CVE-2021-44228
« Reply #27 on: December 19, 2021, 06:19:52 pm »
So if anyone thinks this will all trigger some thoughts about current software development in general and lead to changes, I think they'll be in for big disappointment.
The damn library will get just "fixed" (until next failure) and people will keep doing business as usual.
 
The following users thanked this post: MazeFrame

Offline madires

  • Super Contributor
  • ***
  • Posts: 7049
  • Country: de
  • A qualified hobbyist ;)
Re: Log4j CVE-2021-44228
« Reply #28 on: December 19, 2021, 06:39:11 pm »
Just saw an SMTP scan from a security company:
rejected EHLO from [a.b.c.d]: syntactically invalid argument(s): ${${::-j}ndi:dns://a.b.e.f/securityscan-<some ID>}
hint: a.b.c.d and a.b.e.f are IPv4 addresses

This is a nice example how CVE-2021-44228 could be triggered.
« Last Edit: December 19, 2021, 07:24:43 pm by madires »
 

Offline magic

  • Super Contributor
  • ***
  • Posts: 5384
  • Country: pl
Re: Log4j CVE-2021-44228
« Reply #29 on: December 19, 2021, 07:05:43 pm »
I wonder if some of those attack servers serving JNDI payloads to victims also might be using Log4j :-DD

If I were to publish a POC for such vulnerability I would include this as an easter egg for all the script kiddies to enjoy.
 

Offline golden_labels

  • Frequent Contributor
  • **
  • Posts: 834
  • Country: pl
Re: Log4j CVE-2021-44228
« Reply #30 on: December 19, 2021, 07:32:03 pm »
Since a couple reports so far of attempts to do so, a friendly warning: do not perform unsolicited security scans to inform potential victims unless you know that help of that kind is accepted. If you can’t resist the urge to help, consider educating people and asking them to test for being vulnerable. Be sure to link to actual knowledge and not pass your ideas, opinions or interpretations of the reality. log4j has a security notifications channel that contains the relevant information.

Organizations, that are well versed in security and appreciate such assistance, are not common. You are more likely to face response somewhere between dismissal and aggression. The latter may be severe, including attempts to destroy you as a person. This is a common and recurring theme in any similar help attempts, but CVE-2021-44228 is more risky: it can’t be positively confirmed without activity that in most jurisdictions will be perceived as strictly criminal or on the fuzzy border of legality. Most smaller entities, like companies consisting of a few workers, will misunderstand your intentions and actions. To larger organizations you are a bearer of the bad news and that is a direct threat to many people in their structures. The mix contains security advisory companies, which are either dishonest and lack knowledge to provide advices or are acting with no regard for anyone other than their client.
You are grounded! — said mom to pin 11 of an LM324 op-amp
Worth watching: Calling Bullshit — protect your friends and yourself from bullshit!
 

Offline magic

  • Super Contributor
  • ***
  • Posts: 5384
  • Country: pl
Re: Log4j CVE-2021-44228
« Reply #31 on: December 19, 2021, 07:39:23 pm »
Pretty sure it is illegal in Poland and I believe in the US too and probably in many places.
Unauthorized access to a computer system, thank you very much.

edit
Not necessarily saying it should be that way, but it just is.

And yes, I wouldn't send bad news to a vulnerable system owner by means traceable to me IRL. Firstly, the knowledge is obtained de-facto illegaly in many cases, secondly, stories circulate about organization reacting in a manner that would really make you regret any intentions of helping them >:D
« Last Edit: December 19, 2021, 07:50:34 pm by magic »
 

Offline golden_labels

  • Frequent Contributor
  • **
  • Posts: 834
  • Country: pl
Re: Log4j CVE-2021-44228
« Reply #32 on: December 19, 2021, 08:41:14 pm »
So I have a surprise for you! Poland has an explicit provision in law that conditionally legalizes attacking computer systems for that very purpose. An example of poorly executed response to pentesters’ demands,(1) but it made it to the Penal Code in 2017: addition of article 269c and introduction of §1 to 269b.

The catch? It has not been tested in court yet. So unless you volunteer to be a subject of a legal experiment, engaging in such activity is still a bad idea. The law, even if it works as intended, will not protect you from all the trouble the notified party may bring upon you. And the worst part is that you will face harsh treatment for trying to be helpful, which is by itself PITA.


(1) The backstory: EU-wide agreements require states to implement law that punishes production, posession, distribution etc. of tools that might be used to commit computer crimes, but only under condition that those tools were actually used for that purpose. Poland implemented only the first part, introducing a legal absurd. For years pleas to fix that has been ignored. Finally, in 2016/2017 lobbyists managed to convince Ministry of Digital Affairs to address that issue. But, instead of simply copying the text of the relevant directive and adding the exception, they wrote is from scratch, seemingly understanding neither the subject nor goals. The effect is you can see. A provision that is much wider — to the point of going absurd in the opposite direction.
You are grounded! — said mom to pin 11 of an LM324 op-amp
Worth watching: Calling Bullshit — protect your friends and yourself from bullshit!
 
The following users thanked this post: magic

Offline magic

  • Super Contributor
  • ***
  • Posts: 5384
  • Country: pl
Re: Log4j CVE-2021-44228
« Reply #33 on: December 19, 2021, 09:40:05 pm »
Guess I missed it.
Last time I paid attention, tcpdump was an illegal hacking tool ;D

Note that there is no such exemption for 267/1 (not sure how much that one could be stretched against you) and 269c reads to me like all exemptions only apply if no harm has occurred, regardless of intent.

And I would like to bring to your attention that several of those articles mention confiscation, so you can imagine what may happen when you are formally charged. If you can't imagine, I can tell you that I used to know one "friend of a friend" dude who had all his computers "secured" for years by the police for evidence and potential confiscation because he was involve in some... stuff.
« Last Edit: December 19, 2021, 10:06:56 pm by magic »
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7049
  • Country: de
  • A qualified hobbyist ;)
Re: Log4j CVE-2021-44228
« Reply #34 on: December 20, 2021, 02:38:16 pm »
First Log4J worm (Mirai bot uses Log4Shell as another self-propagation method): https://twitter.com/1ZRR4H

And a huge THANK YOU to the Log4J developers who are working 22 hours a day at the moment - without any pay!!!
 

Offline bitwelder

  • Frequent Contributor
  • **
  • Posts: 910
  • Country: fi
Re: Log4j CVE-2021-44228
« Reply #35 on: December 20, 2021, 03:22:50 pm »
It seems that Belgian Defense Ministry network fell due to a log4shell attack: https://www.brusselstimes.com/belgium/198521/belgian-defence-ministry-network-partially-down-following-cyber-attack
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 11215
  • Country: fr
Re: Log4j CVE-2021-44228
« Reply #36 on: December 20, 2021, 09:34:07 pm »
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7049
  • Country: de
  • A qualified hobbyist ;)
Re: Log4j CVE-2021-44228
« Reply #37 on: December 20, 2021, 10:12:46 pm »
Google: More than 35,000 Java packages impacted by Log4j vulnerabilities (https://therecord.media/google-more-than-35000-java-packages-impacted-by-log4j-vulnerabilities/)
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7049
  • Country: de
  • A qualified hobbyist ;)
Re: Log4j CVE-2021-44228
« Reply #38 on: December 23, 2021, 11:38:59 am »
Logjam: Log4j exploit attempts continue in globally distributed scans, attacks (https://news.sophos.com/en-us/2021/12/20/logjam-log4j-exploit-attempts-continue-in-globally-distributed-scans-attacks/)

About 20 malwares employ the Log4j exploit already.
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 11215
  • Country: fr
Re: Log4j CVE-2021-44228
« Reply #39 on: December 23, 2021, 08:54:01 pm »
Nice =)
 

Offline magic

  • Super Contributor
  • ***
  • Posts: 5384
  • Country: pl
Re: Log4j CVE-2021-44228
« Reply #40 on: December 24, 2021, 08:28:14 am »
It's not funny.
We stand in solidarity with the victims and all Java developers stuck cleaning up this mess during Christmas :'(
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf