CVE-2021-44228: New Updates to the Hacker’s Playbook – Apache Log4j Vulnerability

byTomer Bar

Research

On December 9th, 2021, the security community became aware of a newly discovered zero-day vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1.

According to the Cyber Security Infrastructure Security Agency, a remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.

Apache Log4j <=2.14.1 JNDI features do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Simply stated, the attacker needs to send data that a vulnerable web server will log for successful exploitation.

CISA encourages users and administrators to review the Apache Log4j 2.15.0 Announcement and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately.

The SafeBreach Research Labs has been tracking, and the SafeBreach Hacker’s Playbook has been updated to include three new attacks.

  • Attack #6843 - Communication with a real malicious server exploiting CVE-2021-44228 (log4j) using LDAP.
  • Attack #6844 - Communication with server vulnerable to CVE-2021-44228 (log4j) using HTTP.
  • Attack #6845 - Remote exploitation of Apache Log4j vulnerability CVE-2021-44228.

To access all the attacks associated with you can search by the below attack numbers and follow these steps:

Phase 1 - Attack #6845 - Remote exploitation of Apache Log4j vulnerability CVE-2021-44228

This is an advanced host-level attack; the attacker ends an HTTP/s packet to exploit a real web server. The goal of the attack is to test web applications and network security controls. It is possible to clone and customize to test real customers’ web servers.

This is the most recommended attack for customers that prefer testing their webApp’s security controls.

Phase 1 - Attack #6844 - Communication with a customer server vulnerable to CVE-2021-44228 (log4j) using HTTP.

This is an attack between 2 simulators. The attacker simulator sends an HTTP packet including the exploit in the HTTP "user-agent” field. This packet should be blocked by network/web security controls. The attack is an infiltration attack; the target simulator should be accessible from the source simulator (port 80).

The usage of this attack is recommended to customers that prefer not to run it on their real servers.

Phase 2 - Attack #6843 - Communication with a real malicious server exploiting CVE-2021-44228 (log4j) using LDAP.

This is an advanced attack on a real malicious C2 server. The attack is at the host level. The simulator simulates the triggering of the vulnerability and the LDAP bind connection to the C2 server request. If the C2 server is alive and responds with LDAP_response, it means that the security controls failed to block it. It is possible to clone and customize to test new published Indicators of Compromise (IOC).

This attack is recommended for customers that prefer to test their network controls against a real C2 server.

SafeBreach continues to monitor the situation actively and collaborate with our partners to ensure you have the most up-to-date information.

Additional Resources

Headquarters

  • 111 W Evelyn Ave
  • Sunnyvale, CA94086
  • USA
  • 408-743-5279

R&D Center

  • Yosef Karo St 18
  • Tel Aviv-Yafo,
  • Israel
  • +972-77-434-4506
© SafeBreach Inc. 2022
|