Jump to content

Log4Shell - Is this web security flaw affecting anyone you know, yet?


KaptainRob
 Share

Recommended Posts

Quoted by some as one of the most dangerous software flaws ever, Log4Shell as it's known was only discovered Friday and is already being exploited.... not sure where,

Info here for the IT guys > https://venturebeat.com/2021/12/12/microsoft-log4j-exploits-extend-past-crypto-mining-to-outright-theft/

For lesser mortals, story here > https://www.stuff.co.nz/business/world/300476524/fully-weaponised-organisations-on-high-alert-as-techs-race-to-fix-software-flaw?cid=PDM717129&bid=1423123449

  • Like 1
Link to comment
Share on other sites

I used Log4j in several applications. Being retired, I'm not looking back. 

If applications are developed under Maven, Gradle, or any other continuous integration systems, then rebuilding will automatically pull in the updated Log4j jars.  

An easy fix.

 

  • Thanks 1
  • Cool 1
Link to comment
Share on other sites

 

The latest version of Log4J adds a  band-aid that is unfortunately necessary to cover the real problem: 99% of coders are oblivious to the dangers of not sanitizing user input. Trivial preparation and then just setting my phone name to what boiled down to "xxx" (*) triggered funny stuff  (to be clear: it was a harmless test inspired by curiosity and it doesn't work since last Saturday anyway)

(*) I edited "xxx" since trying to post the original message resulted in: "This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data." I wasn't attacking, but it's hilarious nevertheless. Well done!

 

  • Like 1
Link to comment
Share on other sites

  • 1 month later...

It's being exploited all over :-) 

state level actors and ransomware gangs pounce over new zero days immediately, assuming they didn't develop it themselves or get it before it's widely known. 

not to be too sarcastic but it's looking like the "open source is secure" arguments (many eyes, etc) is just plain wrong. 

Link to comment
Share on other sites

5 hours ago, Vince said:

looking like the "open source is secure" arguments (many eyes, etc) is just plain wrong.

Maybe, though closed source is merely a speed bump to a determined and moderately skilled attacker. Why do Microsoft's products end up being exploited so regularly?

Link to comment
Share on other sites

3 hours ago, ThailandBob said:

Maybe, though closed source is merely a speed bump to a determined and moderately skilled attacker. Why do Microsoft's products end up being exploited so regularly?

As someone who does bug bounties for a living, having several CVEs under my name on on iOS (Apple)... I can say that obviously doing vuln. research on open source software is easier, because you have the source code in its original form, and you can understand everything better. 

When it comes to closed source you gotta spend a lot of time on reverse engineering (disassembling, debugging, dynamically hooking, etc...), just to get to the point where you understand how the software works and what it's doing at every step of runtime. 

It's not impossible to exploit closed source software, but it surely is more time consuming. Also open-source vulns. tend to be found more quickly and thus amended more quickly. 

Edited by ctxa
Link to comment
Share on other sites

6 hours ago, ThailandBob said:

Maybe, though closed source is merely a speed bump to a determined and moderately skilled attacker. Why do Microsoft's products end up being exploited so regularly?

"Large user base" was offered as a rationale by one writer I read. 

Mac used to be safe(r) until mac's became popular! Now Apples get targeted. 

Linux was relatively safe, until everyone started using it. 

What's popular, gets owned. 

Plan9/Inferno is probably a safe OS to use :-) 

good luck finding any software for it lol 

Link to comment
Share on other sites

57 minutes ago, Vince said:

"Large user base" was offered as a rationale by one writer I read. 

Mac used to be safe(r) until mac's became popular! Now Apples get targeted. 

Linux was relatively safe, until everyone started using it. 

What's popular, gets owned. 

Plan9/Inferno is probably a safe OS to use :-) 

good luck finding any software for it lol 

It's often not the OS that gets targeted, but rather the user. 

It would take me 10 minutes to code an app for any OS whatsoever, that upon you opening it downloads all your data and sends it to a server of mine (just as an example). The trick here is to fool the user to download and open such apps through various techniques (social engineering). 

Exploits that actually target the OS (or rather its kernel), such as RCE(Remote Code Execution), Privilege Escalation, etc etc still target Windows more than they target Mac, mainly because the Windows' Kernel is a huge unmaintainable mess that still carries unused code from decades ago... macOS' kernel is a tiny bit better written and definitely more tidy (not to say it doesn't have its own f*** ups).

 

Edited by ctxa
Link to comment
Share on other sites

3 minutes ago, ctxa said:

It's often not the OS that gets targeted, but rather the people. 

It would take me 10 minutes to code an app for any OS whatsoever, that upon you opening it downloads all your data and sends it to a server of mine (just as an example). The trick here is to fool the user to download and open such apps through various techniques (social engineering). 

Exploits that actually target the OS (or rather its kernel), such as RCE(Remote Code Execution), Privilege Escalation, etc etc still target Windows more than they target Mac, mainly because the Windows' Kernel is a huge unmaintainable mess that still carries unused code from decades ago... macOS' kernel is a tiny bit better written and definitely more tidy (not to say it doesn't have its own f*** ups).

It would take less time and (technical) skill to call or text a human target with a social engineering attack, which are devastatingly effective. Phishing is basically just SE over email. 

But my point was about "open source security" - i.e. the many eyes make code secure argument. What happened to many eyes with log4j? 

 

 

Link to comment
Share on other sites

7 minutes ago, Vince said:

It would take less time and (technical) skill to call or text a human target with a social engineering attack, which are devastatingly effective. Phishing is basically just SE over email. 

Very true, indeed. No antivirus or even firewall can fully protect a fool getting fooled by a hacker. (SE attack).

8 minutes ago, Vince said:

But my point was about "open source security" - i.e. the many eyes make code secure argument. What happened to many eyes with log4j? 

A lot of people (agencies) keep these vulnerabilities private (for their own benefit), or they sell them to others who keep them private anyway. 

This is pure speculation, but I am willing to bet based on experience that had Apache (log4j) been closed source, this vulnerability would have never been found! 

I would change that argument to "Many eyes find vulnerabilities" but not necessarily "Many eyes make code secure", because like I said a bunch keep the vulnerabilities they find private.

Link to comment
Share on other sites

3 minutes ago, ctxa said:

Very true, indeed. No antivirus or even firewall can fully protect a fool getting fooled by a hacker. (SE attack).

A lot of people (agencies) keep these vulnerabilities private (for their own benefit), or they sell them to others who keep them private anyway. 

This is pure speculation, but I am willing to bet based on experience that had Apache (log4j) been closed source, this vulnerability would have never been found! 

I would change that argument to "Many eyes find vulnerabilities" but not necessarily "Many eyes make code secure", because like I said a bunch keep the vulnerabilities they find private.

The military uses "security through obscurity" but the Open Source community, wanting open code access, dismisses obfuscation. Obfuscation - which 'closed source' code uses for business reasons, simply slows down attackers.

Code has been stolen (Quake) or can be reverse engineered (Playstation), so this slows down attacks and raises the bar but the attacks continue. 

If log4j was closed source it might not have been used at all. 

The open source model appears to be a massive house of cards in some areas.

It's still amazing software, and an achievement of spectacular merit, but the facile arguments about security are seeming to be proven incorrect. 

'Closed source' software may be no better or even worse. 

Link to comment
Share on other sites

1 minute ago, Vince said:

The military uses "security through obscurity" but the Open Source community, wanting open code access, dismisses obfuscation. Obfuscation - which 'closed source' code uses for business reasons, simply slows down attackers.

Code has been stolen (Quake) or can be reverse engineered (Playstation), so this slows down attacks and raises the bar but the attacks continue. 

If log4j was closed source it might not have been used at all. 

The open source model appears to be a massive house of cards in some areas.

It's still amazing software, and an achievement of spectacular merit, but the facile arguments about security are seeming to be proven incorrect. 

'Closed source' software may be no better or even worse. 

The truth is that neither "open source" nor "closed source" concepts have nothing to do with security. 

Just open source makes it a tiny bit less time consuming to find vulnerabilities.

Link to comment
Share on other sites

2 minutes ago, ctxa said:

The truth is that neither "open source" nor "closed source" concepts have nothing to do with security. 

Just open source makes it a tiny bit less time consuming to find vulnerabilities.

The open source community was assailed as being less secure than closed source for this reason - ease of finding flaws. 

The OSS community rolled out it's "party line" suggesting it was more secure, and the 'many eyes' argument is a common reply. 

But the hostile (maybe paid) code viewers may be more systematic and motivated to exploit bugs than the unpaid volunteers are willing to review and patch them.

And the NSA and North Korea don't report the bugs they find for some reason :-D 

Defense is harder than offense, as the saying goes. 

Log4j exposes (again), just like the recent openssl problems, open source security issues. 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...

Important Information

By posting on Thaiger Talk you agree to the Terms of Use