Home
/
Blog
/
Research

Remote code execution through signalling using LOG4J (CVE-2021-44228)

High-severity Log4j vulnerability for Java, allowing RCE. Affects versions 2.0-beta9 to 2.16.0. Discovered in 2021, it has high impact, recommended updates.

Research
Dec 22, 2021
Remote code execution through signalling using LOG4J (CVE-2021-44228)

What is Log4Shell ?

Log4Shell (CVE-2021-44228) is a vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. It impacts the library version from 2.0-beta9 to 2.16.0, excluding 2.12.3 .

The vulnerability — which existence wasn’t noticed since 2013 — was privately disclosed to The Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of the Alibaba’s Cloud Security Team on 24 November 2021, and was publicly disclosed on 9 December 2021.

Apache gave Log4Shell a CVSS severity rating of 10, the highest score available. It is estimated that the exploit affects hundreds of millions of devices.

How it works

The vulnerability takes advantage of Log4j, a Java logging library that supports JNDI lookup in the logged data by default. JNDI is a Java API made to query remote directories such as LDAP servers.

Such directories can contain arbitrary serialized Java Objects and thus can be exploited by attackers by querying their own controlled LDAP directories  to run arbitrary Java code by a vulnerable application.

The P1 Security Labs Team has developed a dedicated testcase scenario leveraging this vulnerability  for signaling network in customer environments as part of our P1 Telecom Auditor (PTA).

Impact

The P1 Security Team found that it is possible to trigger the Log4j exploit and perform an RCE over signaling against Telecommunication equipment.

Many telecom components handling signaling or data from signaling may be affected by the vulnerability: SIEM, billing systems, IMS services, monitoring platforms…

Sending the malicious payload over signaling will allow an attacker to have a full RCE on the operator core network.

Due to the ease of exploitation and the extent of applicability, we think that the impact is High.

Recommendation

P1 Security encourages all organizations to adopt an assumed breach mentality and review logs for impacted applications for unusual activity.

Update all vulnerable applications to use the latest version of log4j if possible, if not, update log4J configuration to globally disable Java/Java JNDI lookup from logged data https://logging.apache.org/log4j/2.x/security.html

Interested? Fill the online form now! https://log4j-tester.p1sec.fr/

Summary
Titre H2
Titre H3
Download our whitepaper

LTE Pwnage: Hacking HLR/HSS and MME Core Network Elements

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Be informed

SS7 Attacker Heaven turns into Riot: How to make Nation-State and Intelligence Attackers’ lives much harder on mobile networks

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Towards Harmonization: Mapping EU Telecom Security Regulations and their evolution

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
News & investors info

Our latest news

All our news
Product news

New Press Release - P1 Security Reboots with Bold New Vision and Ambition

Press Release from P1 Security about their renewed vision and ambition for mobile network security
Learn more
Research

[Release] QC Super v2

QCSuper is a tool which enables, for research purposes, to capture the contents of radio communication exchanges between your phone's antenna and your Mobile Operator's radio network (RAN). QCSuper has enabled many telecom, mobile and security researchers to perform an analysis of the radio packets (frames) through saving these to the Packet Capture File format (PCAP, with GSMTAP encapsulation) and enabling to use the great Wireshark tool to conduct analysis and research.
Learn more
Research

5G SUPI, SUCI and ECIES

P1 Security breaks down the 3GPP definition of a subscriber’s identity protection scheme, for 5G networks.
Learn more
View all
let’s talk

We are eager to discuss your mobile network security topics. Please reach out.

Contact us
Join the team