Log in
Register
Cyber Forum
More options
Toggle width
Share this page
Share this page
Share
Share
Cyber Forum
Log in
Register
More options
Toggle width
Share this page
Share this page
Share
Share
Menu
Install the app
Install
Home
CyberWeekly Podcast
Breaking News! Podcast
Cyber Risk Rating
Forums
New posts
Forum list
Trending
Leaderboards
News Feeds
Resources
Latest reviews
Sophos X-Ops Intelix
Threat Reports
Members
Current visitors
My.CompTIA
Help Documents
Preference Center
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="MJ Shoer" data-source="post: 2539" data-attributes="member: 3"><p><h3><span style="color: rgb(0, 168, 133)">Severity: Low TLP: Green</span> A New Attack Vector Exploits the Log4Shell Vulnerability on Servers Locally</h3><p><strong>Tags</strong></p><ol> <li data-xf-list-type="ol"><strong>Critical CVE</strong></li> </ol><p><strong>Summary</strong>:</p><p>“Researchers from cybersecurity firm Blumira devised a new attack vector that relies on a Javascript WebSocket connection to exploit the Log4Shell vulnerability on internal and locally exposed unpatched Log4j applications. Experts pointed out that this new attack vector significantly expands the attack surface and can impact services even running as localhost which were not exposed to any network” (<a href="https://securityaffairs.co/wordpress/125800/hacking/log4shell-vulnerability-attack-vector.html" target="_blank">Security Affairs, 2021</a>).</p><p></p><p>There is currently no known active exploitation occurring on this new attack vector. The WebSockets involved in this vulnerability are used for applications like chat and alerts on websites. WebSockets are not restricted by same-origin policies like normal cross-domain HTTP, so they come with inherent security risks.</p><p></p><p>“The researchers published a proof-of-concept attack that uses a Java Naming and Directory Interface (JNDI) exploit that is triggered via a file path URL using a WebSocket connection to a machine with an installed vulnerable Log4j library. WebSockets allow for connections to any IP enlarging the surface of attack of vulnerable systems” (<a href="https://securityaffairs.co/wordpress/125800/hacking/log4shell-vulnerability-attack-vector.html" target="_blank">Security Affairs, 2021</a>).</p><p></p><p><strong>Analyst Comments:</strong></p><p>Using an open port to a local service or service accessible to the host, attackers can use the JNDI exploit string to contact the exploit server and load the attackers class. The payload executes with java.exe as the parent process.</p><p></p><p><strong>Mitigation:</strong></p><p>To mitigate the risk, experts recommend updating all local development efforts, internal applications and internet-facing environments to the latest Log4j 2.17 as soon as possible.</p><p></p><p>Admins should also look closely at your network firewall and egress filtering to restrict the callback required for the actual exploit to land.</p><p></p><p>Make sure that only certain machines can send out traffic over 53, 389, 636, and 1099 ports. All other ports should be blocked.</p><p></p><p><strong>Source</strong>:</p><p><a href="https://securityaffairs.co/wordpress/125800/hacking/log4shell-vulnerability-attack-vector.html" target="_blank">https://securityaffairs.co/wordpress/125800/hacking/log4shell-vulnerability-attack-vector.html</a></p></blockquote><p></p>
[QUOTE="MJ Shoer, post: 2539, member: 3"] [HEADING=2][COLOR=rgb(0, 168, 133)]Severity: Low TLP: Green[/COLOR] A New Attack Vector Exploits the Log4Shell Vulnerability on Servers Locally[/HEADING] [B]Tags[/B] [LIST=1] [*][B]Critical CVE[/B] [/LIST] [B]Summary[/B]: “Researchers from cybersecurity firm Blumira devised a new attack vector that relies on a Javascript WebSocket connection to exploit the Log4Shell vulnerability on internal and locally exposed unpatched Log4j applications. Experts pointed out that this new attack vector significantly expands the attack surface and can impact services even running as localhost which were not exposed to any network” ([URL='https://securityaffairs.co/wordpress/125800/hacking/log4shell-vulnerability-attack-vector.html']Security Affairs, 2021[/URL]). There is currently no known active exploitation occurring on this new attack vector. The WebSockets involved in this vulnerability are used for applications like chat and alerts on websites. WebSockets are not restricted by same-origin policies like normal cross-domain HTTP, so they come with inherent security risks. “The researchers published a proof-of-concept attack that uses a Java Naming and Directory Interface (JNDI) exploit that is triggered via a file path URL using a WebSocket connection to a machine with an installed vulnerable Log4j library. WebSockets allow for connections to any IP enlarging the surface of attack of vulnerable systems” ([URL='https://securityaffairs.co/wordpress/125800/hacking/log4shell-vulnerability-attack-vector.html']Security Affairs, 2021[/URL]). [B]Analyst Comments:[/B] Using an open port to a local service or service accessible to the host, attackers can use the JNDI exploit string to contact the exploit server and load the attackers class. The payload executes with java.exe as the parent process. [B]Mitigation:[/B] To mitigate the risk, experts recommend updating all local development efforts, internal applications and internet-facing environments to the latest Log4j 2.17 as soon as possible. Admins should also look closely at your network firewall and egress filtering to restrict the callback required for the actual exploit to land. Make sure that only certain machines can send out traffic over 53, 389, 636, and 1099 ports. All other ports should be blocked. [B]Source[/B]: [URL]https://securityaffairs.co/wordpress/125800/hacking/log4shell-vulnerability-attack-vector.html[/URL] [/QUOTE]
Name
Verification
Post reply
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
Top
Bottom
Home
Forums
Threat Reports
My.CompTIA
Menu