contact@p1sec.com

Remote Code Execution through Signaling Using Log4j (CVE-2021-44228)

What is Log4Shell ?

Log4Shell (CVE-2021-44228) is a vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. It impacts the library version from 2.0-beta9 to 2.16.0, excluding 2.12.3 .

The vulnerability — which existence wasn’t noticed since 2013 — was privately disclosed to The Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of the Alibaba’s Cloud Security Team on 24 November 2021, and was publicly disclosed on 9 December 2021.

Apache gave Log4Shell a CVSS severity rating of 10, the highest score available. It is estimated that the exploit affects hundreds of millions of devices.

How it works

The vulnerability takes advantage of Log4j, a Java logging library that supports JNDI lookup in the logged data by default. JNDI is a Java API made to query remote directories such as LDAP servers.

Such directories can contain arbitrary serialized Java Objects and thus can be exploited by attackers by querying their own controlled LDAP directories  to run arbitrary Java code by a vulnerable application.

The P1 Security Labs Team has developed a dedicated testcase scenario leveraging this vulnerability  for signaling network in customer environments as part of our P1 Telecom Auditor (PTA).

Impact

The P1 Security Team found that it is possible to trigger the Log4j exploit and perform an RCE over signaling against Telecommunication equipment.

Many telecom components handling signaling or data from signaling may be affected by the vulnerability: SIEM, billing systems, IMS services, monitoring platforms…

Sending the malicious payload over signaling will allow an attacker to have a full RCE on the operator core network.

Due to the ease of exploitation and the extent of applicability, we think that the impact is High.

Recommendation

P1 Security encourages all organizations to adopt an assumed breach mentality and review logs for impacted applications for unusual activity.

Update all vulnerable applications to use the latest version of log4j if possible, if not, update log4J configuration to globally disable Java/Java JNDI lookup from logged data https://logging.apache.org/log4j/2.x/security.html

Interested? Fill the online form now! https://log4j-tester.p1sec.fr/

Find more on the P1 Labs!

About the Author