Kredit:Pixabay/CC0 Public Domain
Log4Shell, en internetsårbarhed, der påvirker millioner af computere, involverer et obskurt, men næsten allestedsnærværende stykke software, Log4j. Softwaren bruges til at optage alle mulige aktiviteter, der foregår under motorhjelmen i en lang række computersystemer.
Jen Easterly, direktør for U.S. Cybersecurity &Infrastructure Security Agency, kaldte Log4Shell for den mest alvorlige sårbarhed, hun har set i sin karriere. Der har allerede været hundredtusindvis, måske millioner, af forsøg på at udnytte sårbarheden.
Så hvad er dette ydmyge stykke internetinfrastruktur, hvordan kan hackere udnytte det, og hvilken slags kaos kan opstå?
Hvad gør Log4j?
Log4j registrerer hændelser - fejl og rutinemæssige systemoperationer - og kommunikerer diagnostiske meddelelser om dem til systemadministratorer og brugere. Det er open source-software leveret af Apache Software Foundation.
Et almindeligt eksempel på Log4j på arbejde er, når du indtaster eller klikker på et dårligt weblink og får en 404-fejlmeddelelse. Webserveren, der kører domænet for det weblink, du forsøgte at komme til, fortæller dig, at der ikke er en sådan webside. Den registrerer også denne hændelse i en log for serverens systemadministratorer, der bruger Log4j.
Lignende diagnostiske meddelelser bruges overalt i softwareapplikationer. For eksempel, i onlinespillet Minecraft, bruges Log4j af serveren til at logge aktivitet som den samlede hukommelse, der er brugt og brugerkommandoer indtastet i konsollen.
Hvordan fungerer Log4Shell?
Log4Shell virker ved at misbruge en funktion i Log4j, der giver brugerne mulighed for at angive brugerdefineret kode til formatering af en logmeddelelse. Denne funktion gør det muligt for Log4j for eksempel at logge ikke kun det brugernavn, der er knyttet til hvert forsøg på at logge ind på serveren, men også personens rigtige navn, hvis en separat server har en mappe, der forbinder brugernavne og rigtige navne. For at gøre det skal Log4j-serveren kommunikere med serveren med de rigtige navne.
Desværre kan denne type kode bruges til mere end blot at formatere logbeskeder. Log4j tillader tredjepartsservere at indsende softwarekode, der kan udføre alle slags handlinger på den målrettede computer. Dette åbner døren for ondsindede aktiviteter, såsom at stjæle følsom information, tage kontrol over det målrettede system og udslip ondsindet indhold til andre brugere, der kommunikerer med den berørte server.
Det er relativt enkelt at udnytte Log4Shell. Jeg var i stand til at gengive problemet i min kopi af Ghidra, en omvendt konstruktionsramme for sikkerhedsforskere, på blot et par minutter. Der er en meget lav bar for at bruge denne udnyttelse, hvilket betyder, at en bredere vifte af mennesker med ondsindede hensigter kan bruge den.
Log4j er overalt
En af de største bekymringer ved Log4Shell er Log4js position i software-økosystemet. Logning er en grundlæggende funktion i de fleste software, hvilket gør Log4j meget udbredt. In addition to popular games like Minecraft, it's used in cloud services like Apple iCloud and Amazon Web Services, as well as a wide range of programs from software development tools to security tools.
This means hackers have a large menu of targets to choose from:home users, service providers, source code developers and even security researchers. So while big companies like Amazon can quickly patch their web services to prevent hackers from exploiting them, there are many more organizations that will take longer to patch their systems, and some that might not even know they need to.
The damage that can be done
Hackers are scanning through the internet to find vulnerable servers and setting up machines that can deliver malicious payloads. To carry out an attack, they query services (for example, web servers) and try to trigger a log message (for example, a 404 error). The query includes maliciously crafted text, which Log4j processes as instructions.
These instructions can create a reverse shell, which allows the attacking server to remotely control the targeted server, or they can make the target server part of a botnet. Botnets use multiple hijacked computers to carry out coordinated actions on behalf of the hackers.
A large number of hackers are already trying to abuse Log4Shell. These range from ransomware gangs locking down minecraft servers to hacker groups trying to mine bitcoin and hackers associated with China and North Korea trying to gain access to sensitive information from their geopolitical rivals. The Belgian ministry of defense reported that its computers were being attacked using Log4Shell.
Although the vulnerability first came to widespread attention on Dec. 10, 2021, people are still identifying new ways to cause harm through this mechanism.
Stopping the bleeding
It is hard to know whether Log4j is being used in any given software system because it is often bundled as part of other software. This requires system administrators to inventory their software to identify its presence. If some people don't even know they have a problem, it's that much harder to eradicate the vulnerability.
Another consequence of Log4j's diverse uses is there is no one-size-fits-all solution to patching it. Depending on how Log4j was incorporated in a given system, the fix will require different approaches. It could require a wholesale system update, as done for some Cisco routers, or updating to a new version of software, as done in Minecraft, or removing the vulnerable code manually for those who can't update the software.
Log4Shell is part of the software supply chain. Like physical objects people purchase, software travels through different organizations and software packages before it ends up in a final product. When something goes wrong, rather than going through a recall process, software is generally "patched," meaning fixed in place.
However, given that Log4j is present in various ways in software products, propagating a fix requires coordination from Log4j developers, developers of software that use Log4j, software distributors, system operators and users. Usually, this introduces a delay between the fix being available in Log4j code and people's computers actually closing the door on the vulnerability.
Some estimates for time-to-repair in software generally range from weeks to months. However, if past behavior is indicative of future performance, it is likely the Log4j vulnerability will crop up for years to come.
As a user, you are probably wondering what can you do about all this. Unfortunately, it is hard to know whether a software product you are using includes Log4j and whether it is using vulnerable versions of the software. However, you can help by heeding the common refrain from computer security experts:Make sure all of your software is up to date.