Log4Shell
Source: Kevin Beaumont

Researchers from cybersecurity firm Cybereason has released a “vaccine” that can be used to remotely mitigate the critical ‘Log4Shell’ Apache Log4j code execution vulnerability running rampant through the Internet.

Apache Log4j is a Java-based logging platform that can be used to analyze web server access logs or application logs. The software is heavily used in the enterprise, eCommerce platforms, and games, such as Minecraft who rushed out a patched version earlier today.

Early this morning, researchers released a proof-of-concept exploit for a zero-day remote code execution vulnerability in Apache Log4j tracked as CVE-2021-44228 and dubbed ‘Log4Shell.’ 

While Apache quickly released Log4j 2.15.0 to resolve the vulnerability, the vulnerability is trivial to exploit, and cybersecurity firms and researchers quickly saw attackers scan and attempt to compromise vulnerable devices.

As threat actors can exploit this vulnerability by simply changing their web browser’s user agent and visiting a vulnerable site or searching for that string on a site, it quickly became a nightmare for the enterprise and some of the most popular websites on the web.

Vaccine released for Log4Shell

Friday evening, cybersecurity firm Cybereason released a script, or “vaccine,” that exploits the vulnerability to turn off a setting in remote, vulnerable Log4Shell instance. Basically, the vaccine fixes the vulnerability by exploiting the vulnerable server.

This project is called ‘Logout4Shell’ and walks you through setting up a Java-based LDAP server and includes a Java payload that will disable the ‘trustURLCodebase’ setting in a remote Log4j server to mitigate the vulnerability.

“While the best mitigation against this vulnerability is to patch log4j to 2.15.0 and above, in Log4j version (>=2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath,” Cybereason explains on the Logout4Shell GitHub Page.

“Additionally, if the server has Java runtimes >= 8u121, then by default, the settings com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase are set to “false”, mitigating this risk.

This may sound like a helpful tool to quickly neutralize the vulnerability in an environment you manage. Still, there are obvious concerns that threat actors or grey hat hackers will co-opt it for illegal behavior.

It is common for threat actors to breach a device and patch vulnerabilities to block other hackers from taking over a compromised server.

There is also concern that security researchers may use the vulnerability to remotely fix servers, even though doing something like this is considered illegal.

However, this has not stopped grey hats from using exploits to take vulnerable devices offline. In the past, we saw the BrickerBot malware take vulnerable routers offline, and gray hates exploiting Internet-connected printers to issue warnings to take them offline.

When we asked Cybereason if they were concerned their Logout4Shell project could be abused, Cybereason CTO Yonatan Striem-Amit told BleepingComputer that they believe the benefits outweigh the potential for abuse in this situation.

While always a possibility, it’s an issue of a calculated risk. This vulnerability is so critical and already massively abused across the Internet, we felt compelled to offer something to help defenders across the globe buy precious time against these hackers.

From an impact perspective, it’s very similar to the Apache Struts vulnerability that was used to steal information from Equifax in May-July 2017.” – Yonatan Striem-Amit, CTO and Co-founder, Cybereason.

If you are interested in trying out Logout4Shell, you can visit the project’s GitHub page.

Source: www.bleepingcomputer.com