Now that the Log4Shell cat is out of the bag, researchers are experimenting with all the different ways the exploit could be used in the wild.
This includes two recent examples showing how the vulnerability in the Log4j open-source Java tool could be used on an iPhone, or a Tesla car, to compromise the server communicating with the endpoints.
A Dutch researcher has demonstrated how changing the iPhone’s name to a string of characters could force the server on the other end trying to access a specific URL. The same was done with a Tesla car by an unknown researcher, who posted their results to the anonymous Log4jAttackSurface Github repository.
Theoretically, a malicious actor could host malware on a server and then, by changing the name of an iPhone, could force Apple’s servers to access that server’s URL and download the malware.
It’s a long shot though, as any well-maintained network would be able to prevent such an attack with relative ease. What’s more, there’s no indication such a method could lead to any broader compromise of these firms, The Verge further explained.
Extremely potent vulnerability
Log4Shell is the name of recently discovered exploit in the Log4j Java tool which some researchers believe handles millions of devices for incidient logging purposes.
Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) described the flaw as “one of the most serious” she’s seen in her entire career, “if not the most serious”.
“We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage,” Easterly explained.
It’s tracked as CVE-2021-44228, and allows malicious actors to run virtually any code. The skills required to take advantage of the flaw are very low, experts have warned, urging everyone to patch Log4j as fast as they can.
Organizations using Log4j in their software should upgrade it to the latest 2.15 version immediately which is available from Maven Central.
You might also want to check out our list of the best firewalls right now
Via: The Verge