What is the Log4j exploit and what can you do to stay safe?
The Log4j exploit, called Log4Shell or CVE-2021-44228 by some, has been in the news in recent weeks. It’s bad! It’s everywhere! But what is it, really? How did it end up on millions of servers? And how can you protect yourself from the consequences of this security breach?
It’s not data, it’s code!
At the heart of the problem with Log4j is the confusion between simple data and executable commands. Malicious coders have exploited this kind of confusion almost forever.
In the days of DOS-based computer viruses, programs on disk were simply copied directly into memory and started. The first viruses were added as a block of data at the end of the host program. By changing one or two bytes at the start of the program, they forced DOS to run the virus code before launching the program. And the virus added itself to more programs during its brief run.
Windows programs, called portable executable programs (PEs), are much more sophisticated. Various blocks of information load into the appropriate memory area, and these blocks are marked as code or data. Despite this, criminals handled attacks that forced the execution of what was supposed to be data. Modern versions of Windows use Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) to thwart such attacks.
Java and Open Source
Log4j is written in Java, which means that it inherently does not have protections like DEP and ASLR. On the other hand, it is an open source package. This means that anyone (well, anyone with coding skills) can read the source code, spot bugs, and help improve the package.
The theory is that open source code is safer because it has been examined by many eyes and because there is no possibility that a backdoor or other unwanted functionality is lurking in the code. When the library involved is very sensitive, possibly involving encryption, it really comes under scrutiny. But apparently this simple log writing module hasn’t received enough attention.
Why is it everywhere?
When there is a security vulnerability in a popular operating system or browser, it usually only affects users of that operating system or browser. The publisher draws up a new version which fixes the hole, launches an update and all is well.
Log4j is different. It is not an operating system, nor a browser, nor even a program. Rather, it is what coders call a library, package, or code module. It serves one purpose: to keep a log of what is happening on a server.
People who write code want to focus on what makes their program unique. They don’t want to reinvent the wheel. Thus, they rely on endless libraries of existing code, such as Log4j. The Log4j module comes from Apache, which is the most widely used web server software. And that’s why it’s found on millions of servers.
Who is the victim here?
Here is an important point. Attacks using the vulnerability in Log4j are not is for you. A hacker who forces him to record a line of text that becomes a command aims to install malware on the server. Microsoft reports that state-sponsored hackers are using it, which could push ransomware. Apple, Cloudflare, Twitter, Valve and other big companies have been affected.
You may have seen (or browsed) a YouTube video in which a security researcher demonstrated the takeover of a Minecraft server using nothing more than an in-game chat. That doesn’t mean it does. affected the players involved in the chat. This means that the researcher has forced the server to execute arbitrary code.
Recommended by our editors
But don’t relax just yet. A hacker who can execute arbitrary code on the affected server has unlimited options. Of course, a ransomware attack against the owner of the server could be very lucrative, as could co-opting the server into bitcoin mining. But it is also possible that the hacker subverts the server, causing it to inflict malware on visitors of websites hosted on this server.
What can I do?
The Log4j exploit is just one of many security holes exploited by bad actors. CISA’s catalog of exploited vulnerabilities lists 20 discoveries in December alone. On closer inspection, you will see that some are already fixed, but others have a fix that is not due for six months or more. Of course, few will have the impact of the Log4j exploit.
As for the protection against Log4j on the server side, it is ridiculously simple. There is a setting that controls whether the logging system can interpret the data as code. Turning that switch off does the job. Understandably, Apache released an update to the code module, but some researchers report that the only significant change in the update is that this switch is turned off by default.
As stated, Log4j is code designed for servers, and the exploit attack affects servers. However, you can be indirectly affected if a hacker uses it to shut down a server important to you, or tries to use the server for spam downloads or other malware attacks.
There is nothing you can do to avoid the impact of a server removal, but you can protect yourself against these secondary attacks by installing a powerful antivirus utility and updating it. Do your part by staying alert for phishing scams, using a password manager, and running your internet traffic through a virtual private network or VPN. Keeping your own data, devices, and connections secure means you are unlikely to be affected by the fallout from a Log4j exploit attack.
Do you like what you read ?
Register for Security watch newsletter for our best privacy and security stories delivered straight to your inbox.