Log4Shell found in Minecraft
Researchers from cybersecurity firm Cybereason have produced a vaccine to remotely mitigate a widespread "Log4Shell" Apache log4shell github code execution vulnerability.
Apache Log4j is a Java-based logging system that can be used to analyze web server access logs or application logs. The software is heavily used in enterprise, e-commerce and gaming platforms, such as Minecraft which quickly patched its version.
The researchers explained how to exploit this zero-day remote code execution vulnerability in Apache Log4j that was tracked as CVE-2021-44228 named "Log4Shell".
While Apache released Log4j 2.15.0 quickly to resolve the vulnerability, cybersecurity firms watched attackers scan vulnerable devices and try to hack them.
This vulnerability can be exploited simply by changing the web browser user agent and visiting a vulnerable site or searching for this string on a site, it quickly became a threat to organizations and some of the most popular websites on the web.
Log4Shell Vaccine Released
Cybersecurity company Cybereason has released a script or "vaccine" that exploits the vulnerability to stop a setup on a remote and vulnerable Log4Shell instance. Essentially, the vaccine fixes the vulnerability by exploiting the vulnerable server.
"Logout4Shell" is the name of the project that walks you through setting up a Java-based LDAP server and includes a Java payload that will disable the "trustURLCodebase" setting on the remote Log4j server to reduce the vulnerability.
"While the best mitigation against this vulnerability is to patch log4j to 2.15.0 and later, in the Log4j version (>= 2.10) this behavior can be mitigated by setting log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath," .
Additionally, if the server has Java runtimes >= 8u121, the settings for com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLC will default to false, which It mitigates this risk.
There are still clear concerns that threat actors or gray hat hackers will pick them for illegal behavior, as it is common for attackers to compromise a device and fix vulnerabilities to prevent other hackers from taking over a compromised server.
Although doing something like this is considered illegal, there are also concerns that security researchers might use the vulnerability to repair servers remotely.
If exploited, the vulnerability allows remote code execution on vulnerable servers, giving an attacker the ability to import malware that would completely compromise machines.
However, the diversity of applications vulnerable to the exploit, and range of possible delivery mechanisms, mean that firewall protection alone does not eliminate risk. Theoretically, the exploit could even be carried out physically by hiding the attack string in a QR code that was scanned by a package delivery company, making its way into the system without having been sent directly over the internet.