Are Endpoints at Risk for Log4Shell Attacks
The end of 2021 saw the emergence of the Log4Shell (CVE-2021-44228) vulnerability, a critical vulnerability in the ubiquitous Java logging package Apache Log4j. Exploiting Log4Shell via crafted log messages can allow an attacker to execute code on remote machines. The potential impact of this vulnerability is great enough that it scores a 10.0 rating based on CVSS version 3.x and a 9.3 rating based on CVSS version 2.0 in terms of critical risk — and it’s easy to see why.
This vulnerability has the potential to have far-reaching consequences due to the widespread use of Log4j. When a user with malicious intent manages to take control of the log messaging system and affect the relevant Log4J processes, it can lead to possible remote code execution attacks.
While the attacks so far have been directed at the server level, there could be a second wave of attacks that can put endpoints at risk.
A malicious actor can use the vulnerability to trigger attacks against consumer devices and even automobiles. For example, recent demonstrations from various researchers have shown how Apple iPhones and even Tesla automobiles can be compromised through simple exploit strings, after which commands can be issued and sensitive data stolen from the backend servers being used for these machines.
Servers remain the targets with the highest risk of Log4Shell attacks, especially internet-facing servers that are using vulnerable versions of Log4j since they are the easiest to compromise. This is followed by internal servers that are running vulnerable Log4j versions, but also have some sort of exposed service that can be compromised by access brokers. Finally, it is possible that malicious actors could begin targeting desktops that are running vulnerable versions of Log4j through certain desktop applications.
What Can You Do?
Backed by publicly-available open-source tools, we have created a vulnerability scanning tool that can cover all possible scenarios — including attacks on servers, desktops, and endpoints. The tool can help users check if they are indeed running applications that have a vulnerable version of Log4j.
Given that exploits for Log4Shell are already being weaponized, patching vulnerable machines should be a priority for everyone. Most software vendors have released advisories to help their customers navigate to an appropriate solution. It is highly recommended users apply vendor patches to their latest iteration as they become available.