Log4j 2.15.0 and previously suggested mitigations may not be enough

Published: 2021-12-14. Last Updated: 2021-12-14 20:55:02 UTC
by Renato Marinho (Version: 1)
4 comment(s)

According to a new Apache Log4j security bulletin, version 2.15.0 and the initially suggested mitigation measures do not completely address the  Log4Shell in certain custom configurations. 

It was discovered that version 2.15.0 would still be vulnerable when the configuration has a pattern layout containing a Context Lookup (for example, $${ctx:loginId}), or a Thread Context Map pattern %X, %mdc, or %MDC. In these cases, when the attacker manages to control the Thread Context values, JNDI lookup injections may be possible, resulting in JNDI connections. Version 2.15.0 limited JNDI connections to 'localhost’' but this possibility could result in a denial of service (DoS) or worse.

Therefore, a new version (2.16.0) has been made available to completely fix the issue (so far at least) associated with CVE-2021–45046 along with more effective mitigation measures for versions to 2.x versions:

  • Java 8 (or later) users should upgrade to release 2.16.0.
  • Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).
  • Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

The mitigation measures previously reported, such as setting the log4j2.formatMsgNoLookups variable to ‘true’, is not considered fully effective. The advisory says:

 "The reason these measures are insufficient is that, in addition to the Thread Context attack vector mentioned above, there are still code paths in Log4j where message lookups could occur: known examples are applications that use Logger.printf("%s", userInput), or applications that use a custom message factory, where the resulting messages do not implement StringBuilderFormattable. There may be other attack vectors.".

So, if you could not upgrade to versions 2.15.0 or 2.16.0 and followed previous mitigations, you are advised to remove JndiLookup class from the log4j-core jar to mitigate the vulnerability. 

The advisory is available at: https://logging.apache.org/log4j/2.x/security.html

--
Renato Marinho
Morphus Labs| LinkedIn|Twitter

Keywords:
4 comment(s)

Microsoft December 2021 Patch Tuesday

Published: 2021-12-14. Last Updated: 2021-12-14 19:01:04 UTC
by Renato Marinho (Version: 1)
0 comment(s)

Amidst the unfolding of the Log4Shell vulnerability, more updates have just arrived with Decembers' Microsoft Patch Tuesday. This month we got patches for 83 vulnerabilities. Of these, 7 are critical, 6 were previously disclosed and 1 is being exploited according to Microsoft.

The 0-day is a spoofing vulnerability on the Windows AppX installer (CVE-2021-43890). According to the advisory, Microsoft is aware of attempts to exploit this vulnerability by using specially crafted packages to implant malware families like Emotet, Trickbot, and Bazaloader. An attacker could use malicious attachments in phishing campaigns to exploit the vulnerability and convince the user to open it. Users of the tool are advised to upgrade to the fixed version using the links on the security advisory. The CVSS for the vulnerability is 7.1.

Amongst critical vulnerabilities, the iSNS Server memory corruption vulnerability can lead to remote code execution (CVE-2021-43215). According to the advisory, an attacker could send a specially crafted request to the Internet Storage Name Service (iSNS) server, which could result in remote code execution. The Internet Storage Name Service (iSNS) protocol is not installed by default and is used for interaction between iSNS servers and iSNS clients. The CVSS for this vulnerability is 9.8.

There is also a critical vulnerability affecting Microsoft Office app that can lead to RCE (CVE-2021-43905). According to the advisory, the attack vector is network, the attack complexity is low, and user interaction is required. The CVSS v3 for this vulnerability is 9.6.

In addition to the iSNS, another vulnerability has been associated with this month's highest CVSS - 9.8. It is an RCE on Visual Studio Code WSL Extension (CVE-2021-43907). According to the advisory, the attack vector is network, the attack complexity is low and no user interaction is required to exploit the vulnerability. 

See my dashboard for a more detailed breakout: https://patchtuesdaydashboard.com.

December 2021 Security Updates

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability
CVE-2021-43877 No No Less Likely Less Likely Important 7.8 6.8
Bot Framework SDK Remote Code Execution Vulnerability
CVE-2021-43225 No No Less Likely Less Likely Important 7.5 6.7
Chromium: CVE-2021-4052 Use after free in web apps
CVE-2021-4052 No No - - -    
Chromium: CVE-2021-4053 Use after free in UI
CVE-2021-4053 No No - - -    
Chromium: CVE-2021-4054 Incorrect security UI in autofill
CVE-2021-4054 No No - - -    
Chromium: CVE-2021-4055 Heap buffer overflow in extensions
CVE-2021-4055 No No - - -    
Chromium: CVE-2021-4056: Type Confusion in loader
CVE-2021-4056 No No - - -    
Chromium: CVE-2021-4057 Use after free in file API
CVE-2021-4057 No No - - -    
Chromium: CVE-2021-4058 Heap buffer overflow in ANGLE
CVE-2021-4058 No No - - -    
Chromium: CVE-2021-4059 Insufficient data validation in loader
CVE-2021-4059 No No - - -    
Chromium: CVE-2021-4061 Type Confusion in V8
CVE-2021-4061 No No - - -    
Chromium: CVE-2021-4062 Heap buffer overflow in BFCache
CVE-2021-4062 No No - - -    
Chromium: CVE-2021-4063 Use after free in developer tools
CVE-2021-4063 No No - - -    
Chromium: CVE-2021-4064 Use after free in screen capture
CVE-2021-4064 No No - - -    
Chromium: CVE-2021-4065 Use after free in autofill
CVE-2021-4065 No No - - -    
Chromium: CVE-2021-4066 Integer underflow in ANGLE
CVE-2021-4066 No No - - -    
Chromium: CVE-2021-4067 Use after free in window manager
CVE-2021-4067 No No - - -    
Chromium: CVE-2021-4068 Insufficient validation of untrusted input in new tab page
CVE-2021-4068 No No - - -    
DirectX Graphics Kernel File Denial of Service Vulnerability
CVE-2021-43219 No No Less Likely Less Likely Important 7.4 6.4
HEVC Video Extensions Remote Code Execution Vulnerability
CVE-2021-40452 No No Less Likely Less Likely Important 7.8 6.8
CVE-2021-40453 No No Less Likely Less Likely Important 7.8 6.8
CVE-2021-41360 No No Less Likely Less Likely Important 7.8 6.8
Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability
CVE-2021-43899 No No Less Likely Less Likely Critical 9.8 8.5
Microsoft BizTalk ESB Toolkit Spoofing Vulnerability
CVE-2021-43892 No No - - Important 7.4 6.7
Microsoft Defender for IOT Elevation of Privilege Vulnerability
CVE-2021-42312 No No Less Likely Less Likely Important 7.8 6.8
Microsoft Defender for IoT Information Disclosure Vulnerability
CVE-2021-43888 No No Less Likely Less Likely Important 7.5 7.0
Microsoft Defender for IoT Remote Code Execution Vulnerability
CVE-2021-42310 No No Less Likely Less Likely Critical 8.1 7.1
CVE-2021-42311 No No Less Likely Less Likely Important 8.8 7.7
CVE-2021-42313 No No Less Likely Less Likely Important 8.8 7.7
CVE-2021-42314 No No Less Likely Less Likely Important 8.8 7.7
CVE-2021-42315 No No Less Likely Less Likely Important 8.8 7.7
CVE-2021-43882 No No Less Likely Less Likely Important 9.0 7.8
CVE-2021-43889 No No Less Likely Less Likely Important 7.2 6.7
CVE-2021-41365 No No Less Likely Less Likely Important 8.8 7.7
Microsoft Excel Remote Code Execution Vulnerability
CVE-2021-43256 No No Less Likely Less Likely Important 7.8 6.8
Microsoft Jet Red Database Engine and Access Connectivity Engine Elevation of Privilege Vulnerability
CVE-2021-42293 No No Less Likely Less Likely Important 6.5 5.7
Microsoft Local Security Authority Server (lsasrv) Information Disclosure Vulnerability
CVE-2021-43216 No No Less Likely Less Likely Important 6.5 5.7
Microsoft Message Queuing Information Disclosure Vulnerability
CVE-2021-43222 No No Less Likely Less Likely Important 7.5 6.5
CVE-2021-43236 No No Less Likely Less Likely Important 7.5 6.5
Microsoft Office Graphics Remote Code Execution Vulnerability
CVE-2021-43875 No No Less Likely Less Likely Important 7.8 6.8
Microsoft Office Trust Center Spoofing Vulnerability
CVE-2021-43255 No No Less Likely Less Likely Important 5.5 4.8
Microsoft Office app Remote Code Execution Vulnerability
CVE-2021-43905 No No More Likely More Likely Critical 9.6 8.6
Microsoft PowerShell Spoofing Vulnerability
CVE-2021-43896 No No Less Likely Less Likely Important 5.5 4.8
Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2021-42294 No No Less Likely Less Likely Important 7.2 6.3
CVE-2021-42309 No No Less Likely Less Likely Important 8.8 7.7
Microsoft SharePoint Server Spoofing Vulnerability
CVE-2021-42320 No No Less Likely Less Likely Important 8.0 7.0
CVE-2021-43242 No No Less Likely Less Likely Important 7.6 6.6
NTFS Set Short Name Elevation of Privilege Vulnerability
CVE-2021-43240 Yes No Less Likely Less Likely Important 7.8 7.0
Remote Desktop Client Remote Code Execution Vulnerability
CVE-2021-43233 No No More Likely More Likely Critical 7.5 6.5
Storage Spaces Controller Information Disclosure Vulnerability
CVE-2021-43227 No No Less Likely Less Likely Important 5.5 4.8
CVE-2021-43235 No No Less Likely Less Likely Important 5.5 4.8
SymCrypt Denial of Service Vulnerability
CVE-2021-43228 No No Less Likely Less Likely Important 7.5 6.5
VP9 Video Extensions Information Disclosure Vulnerability
CVE-2021-43243 No No Less Likely Less Likely Important 5.5 4.8
Visual Basic for Applications Information Disclosure Vulnerability
CVE-2021-42295 No No Less Likely Less Likely Important 5.5 4.8
Visual Studio Code Remote Code Execution Vulnerability
CVE-2021-43891 No No Less Likely Less Likely Important 7.8 6.8
Visual Studio Code Spoofing Vulnerability
CVE-2021-43908 No No Less Likely Less Likely Important    
Visual Studio Code WSL Extension Remote Code Execution Vulnerability
CVE-2021-43907 No No Less Likely Less Likely Critical 9.8 8.5
Web Media Extensions Remote Code Execution Vulnerability
CVE-2021-43214 No No Less Likely Unlikely Important 7.8 6.8
Windows AppX Installer Spoofing Vulnerability
CVE-2021-43890 Yes Yes Detected Detected Important 7.1 6.2
Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2021-43226 No No More Likely More Likely Important 7.8 6.8
CVE-2021-43207 No No More Likely More Likely Important 7.8 6.8
Windows Common Log File System Driver Information Disclosure Vulnerability
CVE-2021-43224 No No Less Likely Less Likely Important 5.5 4.8
Windows Digital Media Receiver Elevation of Privilege Vulnerability
CVE-2021-43248 No No Less Likely Less Likely Important 7.8 6.8
Windows Digital TV Tuner Elevation of Privilege Vulnerability
CVE-2021-43245 No No Less Likely Less Likely Important 7.8 6.8
Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability
CVE-2021-43893 Yes No Less Likely Less Likely Important 7.5 6.5
Windows Encrypting File System (EFS) Remote Code Execution Vulnerability
CVE-2021-43217 No No Less Likely Less Likely Critical 8.1 7.1
Windows Event Tracing Remote Code Execution Vulnerability
CVE-2021-43232 No No Less Likely Less Likely Important 7.8 6.8
Windows Fax Service Remote Code Execution Vulnerability
CVE-2021-43234 No No Less Likely Less Likely Important 7.8 6.8
Windows Hyper-V Denial of Service Vulnerability
CVE-2021-43246 No No Less Likely Less Likely Important 5.6 4.9
Windows Installer Elevation of Privilege Vulnerability
CVE-2021-43883 Yes No More Likely More Likely Important 7.8 7.0
Windows Kernel Information Disclosure Vulnerability
CVE-2021-43244 No No Less Likely Less Likely Important 6.5 5.7
Windows Media Center Elevation of Privilege Vulnerability
CVE-2021-40441 No No Less Likely Less Likely Important 7.8 6.8
Windows Mobile Device Management Elevation of Privilege Vulnerability
CVE-2021-43880 Yes No More Likely More Likely Important 5.5 4.8
Windows NTFS Elevation of Privilege Vulnerability
CVE-2021-43229 No No Less Likely Less Likely Important 7.8 6.8
CVE-2021-43230 No No Less Likely Less Likely Important 7.8 6.8
CVE-2021-43231 No No Less Likely Less Likely Important 7.8 6.8
Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2021-41333 Yes No More Likely More Likely Important 7.8 7.2
Windows Recovery Environment Agent Elevation of Privilege Vulnerability
CVE-2021-43239 No No Less Likely Less Likely Important 7.1 6.2
Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
CVE-2021-43223 No No Less Likely Less Likely Important 7.8 6.8
Windows Remote Access Elevation of Privilege Vulnerability
CVE-2021-43238 No No Less Likely Less Likely Important 7.8 6.8
Windows Setup Elevation of Privilege Vulnerability
CVE-2021-43237 No No Less Likely Less Likely Important 7.8 6.8
Windows TCP/IP Driver Elevation of Privilege Vulnerability
CVE-2021-43247 No No Less Likely Less Likely Important 7.8 6.8
iSNS Server Memory Corruption Vulnerability Can Lead to Remote Code Execution
CVE-2021-43215 No No More Likely More Likely Critical 9.8 8.5

--
Renato Marinho
Morphus Labs| LinkedIn|Twitter

Keywords:
0 comment(s)

Log4j: Getting ready for the long haul (CVE-2021-44228)

Published: 2021-12-14. Last Updated: 2021-12-14 13:07:59 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Friday (Dec. 10th), we moved our Infocon to "Yellow" for the first time in about two years. We saw an immediate need to get the word out as the log4shell vulnerability ( CVE-2021-44228) was actively exploited and affected various widely used products. Patches and workarounds were not readily available at the time. Our Infocon indicates "change," not "steady-state." By now, everybody in infosec knows about log4shell. This morning I noticed that even cnn.com had log4j/log4shell mentioned at the top of the page. Once CNN covers an infosec topic like this: It should be old news for anybody "in the field."

We are now moving our "Infocon" back to "green."

Log4Shell will continue to haunt us for years to come. Dealing with log4shell will be a marathon. Treat it as such. Mick pointed that out in our live stream yesterday, and it is probably the most important thing you need to plan for now: How to live with log4shell long term. 

Please keep notes as you are dealing with this vulnerability and as you are finding new instances in your environment using log4j. I don't think this was the last we heard of log4j or JNDI. History taught us that vulnerabilities like this could focus attention on respective features and libraries. I suspect there will be more to come.

As of this writing, log4j 2.16 is the officially fixed version. log4j 2.15 was the initial fix, with 2.16 fixing some issues with pattern formatters that could still expose you to JNDI lookups.

Here are a few resources about log4j/log4shell:

RCE in Log4j / Log4Shell or how things can get bad quickly
https://isc.sans.edu/forums/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120/

Log4Shell Exploited to Implant Coin Miners
https://isc.sans.edu/forums/diary/Log4Shell+exploited+to+implant+coin+miners/28124/

Log4Shell Live Stream
https://www.youtube.com/watch?v=oC2PZB5D3Ys

Log4Shell Followup: What we see and how to defend, and how to access our data
https://isc.sans.edu/forums/diary/Log4j+Log4Shell+Followup+What+we+see+and+how+to+defend+and+how+to+access+our+data/28122/

Log4j Zero-Day
https://www.lunasec.io/docs/blog/log4j-zero-day/

List of Vendor Bulletins
https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

List of Vulnerable Software
https://github.com/NCSC-NL/log4shell/tree/main/software

Official log4j Website
https://logging.apache.org/log4j/2.x/

log4j 2.16 Update which fixes some remaining JNDI related issues
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-3221?filter=allissues

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

1 comment(s)
ISC Stormcast For Tuesday, December 14th, 2021 https://isc.sans.edu/podcastdetail.html?id=7794

Comments


Diary Archives