Log4Shell - Is this web security flaw affecting anyone you know, yet?

[KaptainRob]

Quoted by some as one of the most dangerous software flaws ever, Log4Shell as it's known was only discovered Friday and is already being exploited.... not sure where,

Info here for the IT guys > https://venturebeat.com/2021/12/12/microsoft-log4j-exploits-extend-past-crypto-mining-to-outright-theft/

For lesser mortals, story here > https://www.stuff.co.nz/business/world/300476524/fully-weaponised-organisations-on-high-alert-as-techs-race-to-fix-software-flaw?cid=PDM717129&bid=1423123449

[ThailandBob]

I used Log4j in several applications. Being retired, I'm not looking back. 

If applications are developed under Maven, Gradle, or any other continuous integration systems, then rebuilding will automatically pull in the updated Log4j jars.  

An easy fix.

 

[Chatogaster]

 

The latest version of Log4J adds a  band-aid that is unfortunately necessary to cover the real problem: 99% of coders are oblivious to the dangers of not sanitizing user input. Trivial preparation and then just setting my phone name to what boiled down to "xxx" (*) triggered funny stuff  (to be clear: it was a harmless test inspired by curiosity and it doesn't work since last Saturday anyway)

(*) I edited "xxx" since trying to post the original message resulted in: "This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data." I wasn't attacking, but it's hilarious nevertheless. Well done!

 

[ThailandBob]

Easy software fix, but deployment will be quite a lot more involved. Think about all of the systems and devices that run Java. 

[Vince]

It's being exploited all over :-) 

state level actors and ransomware gangs pounce over new zero days immediately, assuming they didn't develop it themselves or get it before it's widely known. 

not to be too sarcastic but it's looking like the "open source is secure" arguments (many eyes, etc) is just plain wrong. 

[ThailandBob]

5 hours ago, Vince said:

looking like the "open source is secure" arguments (many eyes, etc) is just plain wrong.

Maybe, though closed source is merely a speed bump to a determined and moderately skilled attacker. Why do Microsoft's products end up being exploited so regularly?

[Lyp14 [ctxa]]

3 hours ago, ThailandBob said:

Maybe, though closed source is merely a speed bump to a determined and moderately skilled attacker. Why do Microsoft's products end up being exploited so regularly?

As someone who does bug bounties for a living, having several CVEs under my name on on iOS (Apple)... I can say that obviously doing vuln. research on open source software is easier, because you have the source code in its original form, and you can understand everything better. 

When it comes to closed source you gotta spend a lot of time on reverse engineering (disassembling, debugging, dynamically hooking, etc...), just to get to the point where you understand how the software works and what it's doing at every step of runtime. 

It's not impossible to exploit closed source software, but it surely is more time consuming. Also open-source vulns. tend to be found more quickly and thus amended more quickly. 

Edited January 19, 2022 by ctxa

[Vince]

6 hours ago, ThailandBob said:

Maybe, though closed source is merely a speed bump to a determined and moderately skilled attacker. Why do Microsoft's products end up being exploited so regularly?

"Large user base" was offered as a rationale by one writer I read. 

Mac used to be safe(r) until mac's became popular! Now Apples get targeted. 

Linux was relatively safe, until everyone started using it. 

What's popular, gets owned. 

Plan9/Inferno is probably a safe OS to use :-) 

good luck finding any software for it lol 

[Rain]

No such thing as web security.

[Lyp14 [ctxa]]

57 minutes ago, Vince said:

"Large user base" was offered as a rationale by one writer I read. 

Mac used to be safe(r) until mac's became popular! Now Apples get targeted. 

Linux was relatively safe, until everyone started using it. 

What's popular, gets owned. 

Plan9/Inferno is probably a safe OS to use :-) 

good luck finding any software for it lol 

It's often not the OS that gets targeted, but rather the user. 

It would take me 10 minutes to code an app for any OS whatsoever, that upon you opening it downloads all your data and sends it to a server of mine (just as an example). The trick here is to fool the user to download and open such apps through various techniques (social engineering). 

Exploits that actually target the OS (or rather its kernel), such as RCE(Remote Code Execution), Privilege Escalation, etc etc still target Windows more than they target Mac, mainly because the Windows' Kernel is a huge unmaintainable mess that still carries unused code from decades ago... macOS' kernel is a tiny bit better written and definitely more tidy (not to say it doesn't have its own f*** ups).

 

Edited January 19, 2022 by ctxa

[Vince]

3 minutes ago, ctxa said:

It's often not the OS that gets targeted, but rather the people. 

It would take me 10 minutes to code an app for any OS whatsoever, that upon you opening it downloads all your data and sends it to a server of mine (just as an example). The trick here is to fool the user to download and open such apps through various techniques (social engineering). 

Exploits that actually target the OS (or rather its kernel), such as RCE(Remote Code Execution), Privilege Escalation, etc etc still target Windows more than they target Mac, mainly because the Windows' Kernel is a huge unmaintainable mess that still carries unused code from decades ago... macOS' kernel is a tiny bit better written and definitely more tidy (not to say it doesn't have its own f*** ups).

It would take less time and (technical) skill to call or text a human target with a social engineering attack, which are devastatingly effective. Phishing is basically just SE over email. 

But my point was about "open source security" - i.e. the many eyes make code secure argument. What happened to many eyes with log4j? 

 

 

[Lyp14 [ctxa]]

7 minutes ago, Vince said:

It would take less time and (technical) skill to call or text a human target with a social engineering attack, which are devastatingly effective. Phishing is basically just SE over email. 

Very true, indeed. No antivirus or even firewall can fully protect a fool getting fooled by a hacker. (SE attack).

8 minutes ago, Vince said:

But my point was about "open source security" - i.e. the many eyes make code secure argument. What happened to many eyes with log4j? 

A lot of people (agencies) keep these vulnerabilities private (for their own benefit), or they sell them to others who keep them private anyway. 

This is pure speculation, but I am willing to bet based on experience that had Apache (log4j) been closed source, this vulnerability would have never been found! 

I would change that argument to "Many eyes find vulnerabilities" but not necessarily "Many eyes make code secure", because like I said a bunch keep the vulnerabilities they find private.

[Vince]

3 minutes ago, ctxa said:

Very true, indeed. No antivirus or even firewall can fully protect a fool getting fooled by a hacker. (SE attack).

A lot of people (agencies) keep these vulnerabilities private (for their own benefit), or they sell them to others who keep them private anyway. 

This is pure speculation, but I am willing to bet based on experience that had Apache (log4j) been closed source, this vulnerability would have never been found! 

I would change that argument to "Many eyes find vulnerabilities" but not necessarily "Many eyes make code secure", because like I said a bunch keep the vulnerabilities they find private.

The military uses "security through obscurity" but the Open Source community, wanting open code access, dismisses obfuscation. Obfuscation - which 'closed source' code uses for business reasons, simply slows down attackers.

Code has been stolen (Quake) or can be reverse engineered (Playstation), so this slows down attacks and raises the bar but the attacks continue. 

If log4j was closed source it might not have been used at all. 

The open source model appears to be a massive house of cards in some areas.

It's still amazing software, and an achievement of spectacular merit, but the facile arguments about security are seeming to be proven incorrect. 

'Closed source' software may be no better or even worse. 

[Lyp14 [ctxa]]

1 minute ago, Vince said:

The military uses "security through obscurity" but the Open Source community, wanting open code access, dismisses obfuscation. Obfuscation - which 'closed source' code uses for business reasons, simply slows down attackers.

Code has been stolen (Quake) or can be reverse engineered (Playstation), so this slows down attacks and raises the bar but the attacks continue. 

If log4j was closed source it might not have been used at all. 

The open source model appears to be a massive house of cards in some areas.

It's still amazing software, and an achievement of spectacular merit, but the facile arguments about security are seeming to be proven incorrect. 

'Closed source' software may be no better or even worse. 

The truth is that neither "open source" nor "closed source" concepts have nothing to do with security. 

Just open source makes it a tiny bit less time consuming to find vulnerabilities.

[Vince]

2 minutes ago, ctxa said:

The truth is that neither "open source" nor "closed source" concepts have nothing to do with security. 

Just open source makes it a tiny bit less time consuming to find vulnerabilities.

The open source community was assailed as being less secure than closed source for this reason - ease of finding flaws. 

The OSS community rolled out it's "party line" suggesting it was more secure, and the 'many eyes' argument is a common reply. 

But the hostile (maybe paid) code viewers may be more systematic and motivated to exploit bugs than the unpaid volunteers are willing to review and patch them.

And the NSA and North Korea don't report the bugs they find for some reason :-D 

Defense is harder than offense, as the saying goes. 

Log4j exposes (again), just like the recent openssl problems, open source security issues.