Hey there everyone, your friendly neighborhood tech pede here. Not sure how much attention people here pay to tech news but over the past two days there has been a bit of info that's been trickling into even some mainstream news sites about a recently discovered vulnerability called Log4Shell. These sites have been saying how this vulnerability has the potential to be pretty bad. As a guy that's worked in tech for pretty much all my life, let me rephrase that for them. This vulnerability has the potential to be catastrophic.
I work in the civ, non-gov't sector and I have more NDAs signed than I can count so I can't go into specifics of clients or ongoing cases that we're involved in. But we see cases come in where massive companies get their data stolen and ransomed for millions and no one at my work really thinks twice about it because we work with this stuff every day. But this one has us all worried.
What is this vulnerability?
There's a couple jargon filled writeups here:
But long story short, in order for a website or service to be accessible via the Internet, it needs a web server in place. The most widely used one of these is a web server called Apache that's been around for about 25 years. Every web server (and really any application on a computer) keeps a log of everything that it does in order to track errors, see unauthorized access, that kind of thing. This exploit specifically targets this built-in logging feature in Apache in order to gain full access to the web server and drop pretty much anything it wants on it.
So how bad is it?
Bad. Really, really bad. Bad enough that as soon as it was released, it immediately hit the ceiling as a 10.0 out of 10.0 on the CVE index and that was only because the index didn't go higher. For reference, the HAFNIUM exploits from this past February/March that caused hundreds of thousands of mail servers across the globe to have their data stolen and their systems crashed didn't even reach that mark, with most of the affected CVEs for that exploit coming in at 7.8.
Unlike the HAFNIUM exploit, this vulnerability appears to have the potential to be a C2C (computer to computer) worm, which means that once it's infected a web server it can spread uncontrolled to basically any device connected to that web server.
So it only affects these web servers, right?
Not necessarily. Evidence is still coming out but it appears as though this may be able to spread to any device that communicates with an Apache-based web server. The biggest example right now is Minecraft, which released a zero-day patch just yesterday to help protect against this. Basically if you don't have that patch then if you connect to a multiplayer server then you're vulnerable.
But it's not just services like Minecraft. A lot of applications also have what's referred to as integrated web servers, which is where the Apache web server does not exist independently of the application. If it were to be independent, then you could just patch the web server and call it a day. But if it's integrated you need to re-code portions of the ENTIRE application in order to get it updated to protect against this. There's not enough manpower in the world to do this.
Look at the numbers of just websites running Apache alone. There are over 1.7 billion websites in the world and about 32% are known to run Apache. The actual number is most certainly higher. Even in a best-case scenario, we're looking at over 500 million websites that are affected by this.
But again, it's not just websites, it's services as well...especially services that run on Java. You know that fancy satellite radio in your car? That runs on Java and reports to a web server. You know that new TV you got on Black Friday? Yep, that runs Java and reports to a web server. That fancy new smart plug that lets you turn lights on and off from your phone? Take a guess.
Seeing why we're worried?
Well, crap.
Don't worry, it gets worse! So far there have been a list of about 150 international backbone companies that have been seen to be affected by this. These companies range from everything from home devices to antivirus and backup software. Some companies such as Kronos (UKG) have already had their services nuked...whether it's by this vulnerability or not isn't known yet. But Kronos is saying that it will be "several weeks" before things are back functioning again.
https://www.theregister.com/2021/12/13/ultimate_kronos_group_ransomware_attack/
So once this hits a server, it hits FAST and it hits HARD and it goes DOWN.
So these attacks are already happening?
They haven't even really started, that's the fun part. There has been some evidence that these have been circulating to some extent in the wild but there hasn't been a mass-scale attack like we've usually seen. Current insiders are estimating that a worm that can fully take advantage of this C2C spread will be completed and deployed within 24-48 hours:
https://nitter.net/Laughing_Mantis/status/1470165580736987137
So what should I do?
If you're in tech, get your Apache web servers updated immediately. Get off this site and just do it. If you have kids that are running a Minecraft server (hell, just even playing Minecraft on PC in general) then make sure it's updated. Microsoft has more info here:
https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
If you're just a regular tech user then make sure you have a few good, long books just in case things go FUBAR. And strap the fuck in.
If planned, then the exploit would have been knowingly planted years ago. Then, add to the fact that the software op is mentioning is open source, meaning, the source code is freely available. In turn, meaning that the exploit could not have been secretly injected as a community of developers would have likely caught it.
So not saying it's not an intentional exploit, but I am saying it is very unlikely that it is. To be effective, this exploit would have had to have been added 3-5 years ago since many organizations will run their software on old versions as long as they can possibly get away with it.
If it is intentional, then the exploit must be extremely sophisticated and cryptic in nature. I'll have to take a closer look at the code now. I'm suspecting it's code that's been in the codebase for over a decade.
It's a possibility for sure, I just think unlikely. But you never know...