Security researchers have discovered a new attack vector that exploits the Log4j vulnerability as the Apache Foundation released a new patch to address the overall issue.
Previously discovered ways of exploiting Log4j were through vulnerable servers. This attack vector differs in that anyone with a vulnerable version of Log4j on a local machine or private network can browse a website and potentially trigger the vulnerability.
This attack vector greatly expands the attack surface with the ability to trigger the vulnerability through a malicious website. The attack vector can impact even services running as a local host, which have not been exposed to any network.
The researchers noted that there is no evidence of active exploitation, but the client typically has no direct control over WebSocket connections, which can start silently when a web page loads. It can be difficult to gain deep visibility into the WebSockets connection, which increases the complexity of detecting this attack.
âWebSockets have been used in the past to scan ports on internal systems, but this represents one of the first remote code execution exploits relayed by WebSockets,â Jake Williams, Company Co-Founder and CTO incident response. BreachQuest Inc., said SiliconANGLE. âThat shouldn’t change anyone’s stance on vulnerability management, however. Organizations should strive to quickly patch and mitigate by preventing outbound connections from potentially vulnerable services where patching is not an option.
John Bambenek, Senior Threat Hunter at an IT Service Management Company Netenrich Inc., noted that while the newly discovered attack vector is important, attackers will likely favor the remote exploit over the local exploit.
“That being said, this news means that relying on the WAF or other network defenses is no longer effective mitigation,” Bambenek added. âApplying fixes is still the most important step an organization can take. “
The emergence of a new attack vector comes as Apache was forced to release a third patch to fix the Log4j vulnerability, called 2.17.0.
Apache says the patch fixes issues in 2.16.0 that did not protect against uncontrolled recursion of self-referential searches. Therefore, the patch failed to protect against CVE-2021-45105, a Log4j denial of service vulnerability.
The continued severity of the Log4j vulnerability continues to receive attention, including from government agencies. After initially warning of the vulnerability on December 14 and ordering all federal agencies to fix it by December 24, the US Department of Homeland Security’s Cybersecurity and Infrastructure Agency released a emergency directive December 17th.
The CISA emergency directive directed all federal, civil and executive agencies to address the Log4j vulnerability. It only applies to government agencies, but CISA strongly recommended that all organizations review the emergency guideline for mitigation advice.