CVE-2021-44228 – Log4j Critical Security Vulnerability

In today's news post Computeams Chief Technical Officer Jon Crosse provides some practical advice, technical best practice and guidance for the education sector in response to the Critical Service Vulnerability affecting the Apache Log4j Java Library. Jon writes...

Many of you may have already seen on the internet and various news sites information about a Critical Security Vulnerability which has recently been discovered and has come to the fore this weekend. The vulnerability which affects the Apache Log4j Java Library has been recorded as CVE-2021-44228.

This exploit is particularly concerning because the issue is understood to be widespread and is relatively easy for hackers to make use of.

The exploit is based in the Apache Log4j Java library which handles logging of error messages in many Software Applications. The exploit itself allows for Unauthenticated Remote Code Execution which effectively means an attacker can run programs and code on a vulnerable machine without any interaction from users of those machines. As well as providing access to potentially sensitive data stored on those machines, the most commonly seen use of this technique has been to deploy Crypto-Mining Software or to enrol machines in botnets, effectively taking control of the machine and its resources for a hacker to use for their own purposes.

It is also worth noting that while information about this vulnerability started to appear on Friday, and has been widely-publicised over the weekend, activity and evidence of people exploiting this vulnerability had been identified since 1st December suggesting it was in the wild at least 9 days before being publicly disclosed.

This sounds bad! But what should I do?

The good news is that over the weekend, since the vulnerability became more widely publicised, vendors have been rushing to get patches out and document workarounds for affected products. There are a number of steps that we at Computeam are already taking to protect our clients, and which anyone else can also take to mitigate and limit the potential impact of this vulnerability.

Patching and updates

Computeam, along with everyone else in the industry, are still trying to understand the full extent of the impact of this vulnerability, which, as we mentioned above, could take some time. Not every application using this library will be vulnerable, as other techniques used in software development such as user input validation may prevent an attacker from being able to take advantage of the exploit. Therefore, software developers QA teams and many other professionals are working to test applications, checking every input field to identify any potential avenue for exploitation. The most important thing we can do is patch software systems as soon as those patches become available.

Some examples of applications which are known to be vulnerable (if unpatched) and may well be used in an education setting include.

Apple iCloud

Minecraft - Important Message: Security vulnerability in Java Edition | Minecraft

Ubiquiti UniFi Network Application - UniFi Network Application 6.5.54 | Ubiquiti Community

Various VMWare applications - VMSA-2021-0028.1 (vmware.com)

Amazon Web Services - Update for Apache Log4j2 Security Bulletin (CVE-2021-44228)

Oracle - Oracle Security Alert Advisory - CVE-2021-44228

SolarWinds - SolarWinds Trust Center Security Advisories | CVE-2021-44228

This is by no means a definitive list and just a few examples of applications identified. If any of these applications are used in your school though, it is vital that the versions in use are checked and updated accordingly. We are actively reviewing supported client networks and updating accordingly, but we also know of many schools that have such systems outside of our support services.

Antivirus

The exploit itself is not easy for Antivirus software to detect, but subsequent activities a hacker may try to undertake can often be detected, so it is essential that Antivirus software is kept up to date to identify the latest malware and techniques which could be deployed by an attacker following an initial exploitation. Again, clients with Computeam Support services can rest assured that we are reviewing, and in some cases accelerating scheduled updates where we provide your anti-virus platform. If you are unsure who the provider of your system is by all means get in touch and we will confirm.

Secure Configuration

While you would obviously hope to stop the exploit itself from taking place, should you be unlucky enough to be affected, there are things you can do to limit the further impact of activities by a malicious attacker. Once an attacker has exploited the vulnerability, they will likely be looking for ways to gain the highest level of access to your machine they can (known as Privilege Escalation) which will allow them unrestricted access. While some Privilege Escalation techniques can be very complex, there are some more simple things that can be done to secure the configuration of a machine and make things harder for an attacker.

Ensure software runs using service accounts that have only the level of access required (not running as Administrative/Root users by default!) – When an attacker uses this vulnerability to perform Remote Code Execution, they will do so using the account which the software has been designed to run with. Therefore, if the software is set to run using an administrator/root account, they will already have that level of access straightaway and won’t need to escalate their privileges. The same goes for using privileged accounts for day-to-day use (rather than only for administrative tasks), if you are running vulnerable software while logged in as an administrative user, which is then exploited the hacker now also has administrative control!

Strong Passwords (especially for privileged accounts!) – If after exploiting the attacker doesn’t already have the required level of access to perform their intended task, they will try to escalate to an account which does. One of the easiest ways for them to do this is to identify other user accounts used on a device and guess/crack the passwords for them. If weak passwords are used, this process becomes very easy for an attacker.

Firewalls (either local software or edge) – may be able to prevent an attacker from exploiting the vulnerability in the first place. Most forms of this attack involve an attacker, making a call back to the server hosting the malicious exploit code. If that communication can be stopped, the exploit will not work. Ensuring firewalls are enabled, updated and correctly configured, could help to prevent the attack in the first place.

These measures have long been part of our suggested best practice for schools, so now is the time to review them again. If they are not already in place it is relatively easy to make the changes required on your system but will require some action from current users (e.g. amending weaker passwords)

Backups

Again, should an attacker be successful in gaining remote code execution, although not yet prevalent in examples seen so far, one likely future use of the vulnerability will be to deploy and activate ransomware, with a view to extorting money from affected users. Some Antivirus solutions may help with protection from Ransomware, as we have always suggested an effective backup solution should be considered essential, so that if an encrypted system can be recovered from backup. All backups should be regularly performed and checked and maintained to ensure they are working effectively.

If you have questions about what you’ve read or just want to discuss your organisations Cyber Security further, please get in touch. You can talk to your Account Manager if you are already a client, or reach out to us at info@computeam.co.uk or give us a call on 0800 862 0123

Posted by Computeam on December 13th 2021