TellYouThePass ransomware revived in Linux, Windows Log4j attacks
Google Calendar now lets you block invitation phishing attempts
Credit card info of 1.8 million people stolen from sports gear sites
All Log4j, logback bugs we know so far and why you MUST ditch 2.15
The Week in Ransomware – December 17th 2021 – Enter Log4j
TellYouThePass ransomware revived in Linux, Windows Log4j attacks
Get your own virtual desktop with 54% off Shells subscriptions
Credit card info of 1.8 million people stolen from sports gear sites
Qualys BrowserCheck
STOPDecrypter
AuroraDecrypter
FilesLockerDecrypter
AdwCleaner
ComboFix
RKill
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Toksearches.xyz Search Redirect
Remove the Smashapps.net Search Redirect
Remove the Smashappsearch.com Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
eLearning
IT Certification Courses
Gear + Gadgets
Security
log4j fire
Everyone’s heard of the critical log4j zero-day by now. Dubbed ‘Log4Shell,’ the vulnerability has already set the internet on fire.
Thus far, the log4j vulnerability, tracked as CVE-2021-44228, has been abused by all kinds of threat actors from state-backed hackers to ransomware gangs and others to inject Monero miners on vulnerable systems.
Log4j usage is rampant among many software products and multiple vendor advisories have since surfaced. And, it now seems, ‘logback’ isn’t all that immune either.
Below we summarize the multiple relevant CVEs identified thus far, and pretty good reasons to ditch log4j version 2.15.0, in favor of 2.16.0.
It all began last Thursday, December 9th, when a PoC exploit for the critical Log4j zero-day hit GitHub.
What followed was the vulnerability disclosure and mass-scanning activity from attackers targeting vulnerable servers.
Given Log4j’s vast usage in the majority of Java applications, Log4Shell soon turned into a nightmare for enterprises and governments worldwide.
Below are the CVEs in the order that they emerged that you should know about:
Log4j 2.15.0 might contain even more severe vulnerabilities than the ones discovered so far, which is why 2.16.0 is by far a safer bet.
Because of CVE-2021-45046 described above, the maximum impact from the flaw initially appeared to be DoS, but that assumption is evolving, BleepingComputer has learned.
Cloud security firm Praetorian demonstrated how Log4j 2.15.0 versions could still be abused for DNS-based data exfiltration from external hosts, and is working with Apache towards a coordinated disclosure.
In an email interview with BleepingComputer, Praetorian’s principal security engineer, Anthony Weems sheds more light on the research:
“The Praetorian blog post is in response to CVE-2021-45046, which applies to Log4j version 2.15. The CVE description states that—when using a specific type of Pattern Layout—this vulnerability can lead to a denial of service. The reason they state it is DoS only is due to the localhost allowlist,” Weems tells BleepingComputer.
“We’ve developed a bypass for this ‘localhost’ allowlist and sent the details to Apache. At minimum, this means systems that are vulnerable to CVE-2021-45046 are not just vulnerable to DoS, but also DNS exfil of potentially sensitive environment variables.”
Praetorian shared a PoC video demonstrating just this:
“Apache has confirmed receipt of our write-up; whether this merits an edit of the CVE or a new CVE is a good question – however, the action required by defenders is clear cut in either case: moving to 2.16.0 where jndi is disabled by default is the safest course of action, and is the approach we’re recommending for our customers,” concluded Praetorian in their statement to BleepingComputer.
Moreover, at the time of writing, BleepingComputer came across multiple security researchers claiming that it is possible to achieve full-on RCE, even with 2.15.0.
“Here is a PoC in how to bypass allowedLdapHost and allowedClasses checks in Log4J 2.15.0. to achieve RCE… and to bypass allowedClasses just choose a name for a class in the JDK. Deserialization will occur as usual,” explains researcher Márcio Almeida:
This happens because how the check was done. the https://t.co/KrgP5x639Q.URI getHost() method returns the value before the # as the real host. But the JNDI/LDAP resolver will resolve to the full hostname string attempting to connect to the malicious LDAP server. 2/n pic.twitter.com/HuZtYekuHw
Similarly, Alvaro Muñoz of GitHub Security Lab shared success with bypassing the fixes made to 2.15.0 to achieve remote code execution:
@_atorralba
and I just managed to bypass the allowedLdapHost and allowedClasses checks. 2.15 with no formatMsgNoLookups mitigations is still vulnerable to RCE. 2.15.0 w/o those mitigations is vulnerable only if attackers can control non-message parts of the pattern layout
“As a side note, the default settings will not be affected. Lookup must be enabled by specifying %m{lookups} or by a method such as CVE-2021-45046,” says security researcher RyotaK, adding to Muñoz’s research.
The worst possible scenario resulting from Log4j 2.15.0 is yet to be fully determined, but suffice to say, it doesn’t seem like it’s just limited to DoS.
As the situation continues to evolve, organizations and developers are encouraged to upgrade to version 2.16.0, and to continue to monitor Apache’s Log4j advisory page for updates.
Update 09:11 AM ET: Severity for CVE-2021-45046 changed to Critical/9.0 according to Apache’s updated advisory page.
Researchers release ‘vaccine’ for critical Log4Shell vulnerability
Log4j: List of vulnerable products and vendor advisories
Hackers start pushing malware in worldwide Log4Shell attacks
New zero-day exploit for Log4j Java library is an enterprise nightmare
Conti ransomware uses Log4j bug to hack VMware vCenter servers
Not a member yet? Register Now
Lenovo laptops vulnerable to bug allowing admin privileges
Large-scale phishing study shows who bites the bait more often
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.

source

You May Also Like

Log4j vulnerability now used to install Dridex banking malware

Microsoft warns of easy Windows domain takeover via Active Directory bugsUK govt…

Cisco fixes hard-coded credentials and default SSH key issues

CISA orders federal agencies to fix hundreds of exploited security flawsUS sanctions…

Mozilla fixes critical bug in cross-platform cryptography library

FBI seized $2.3M from affiliate of REvil, Gandcrab ransomware gangsEwDoor botnet targets…

US emergency directive orders govt agencies to patch Log4j bug

TellYouThePass ransomware revived in Linux, Windows Log4j attacksGoogle Calendar now lets you…