More Log4J news read during the holiday

During the Holiday break, I have been doing some reading and found some articles I want to talk about. Two of the three in this post were sent to the Security Box Email list, the third was more for people who need to know what to look for to try and protect servers and things from this ordeal and to offer steps on what you can take.

Examining Log4j Vulnerabilities in Connected Cars and Charging Stations

This is probably not a surprise. We read as part of podcast 74 that delbt with Log4J that cars may have an impact, but we really don’t know to what extent.

What we do know is that we now see that at least for now, a proof of concept may be possible.

Here is the opening paragraph. It says:

Evidence of attacks using the Log4j vulnerability was also shown in a test that triggered a bug on a Tesla car. For this case, the source does not provide much information on where it was actually executed. Nevertheless, this means that the exploitation of the vulnerability could still have an impact on the user’s privacy and the general security of the car because a back-end compromise could allow attackers to push actions to the car and serve malicious firmware over-the-air (FOTA) updates.

As we know, the invent of the smartphone can give us a lot of convenience, like checking our email on the go, looking up sports, watching sports or movies, and even playing games. According to this article, it can also replace the keys that you would put in your pocket for the electric cars. This would in turn, make the car a perfect target as you don’t have to have your key around while you operate it.

Here are other paragraphs that might be of interest in this discussion.

Beyond the three devices or properties in modern cars discussed in this article, there are still many more to test and monitor for Log4j vulnerabilities. Among them are servers’ responses to tests and plenty of other vectors that could allow attackers to use the access afforded by applications to send commands that can unlock a car, control the heating, and perform other functions that can be abused by malicious actors.

Nobody has thought about that paragraph before, have they? Yes, you don’t need a lot of gas usage now, and it saves you money, but what about the ways it could be abused like what was discussed in a Security Now episode where someone took a car for a rental and how he still had access? There’s more we’re quoting as part of this too.

Up to now, organizations and security experts are still grappling with the full extent of the Log4j vulnerabilities. It is likely that more reports looking into the effects of these vulnerabilities in specific services, devices, or applications will be released in the coming weeks. On the other hand, cybercriminals are also making the most of this time to catch potential victims, including those who are still exposed via unpatched Log4j vulnerabilities, off guard.

The main fix for the vulnerabilities is to update Log4j to version 2.17.0. This version removes the message lookup feature, which provides a way to add values to Log4j’s configuration, entirely. However, in most cases, such as RISE-V2G, using an up-to-date version of Log4j could break applications.

This is unfortunate, and that’s why we continue to see hospitals being burned, because they can’t update operating systemns and software because it’ll break stuff. Don’t know how to get around that one, I’m afraid.

There’s more including some commands that could be envoked for when things need to get done.

The Log4j story, and how it has impacted our customers

This article was very insiteful even though I’m not a Trend customer. They describe what happened happened. There’s definitely more because they’re doing research in to what is really going on and this is only one of two articles that could tell the story.

What to Do About Log4j

This article I didn’t send to the TSB list because its more for people who need to be aware of what to do to mitigate the vulnerability. Its meant for those who have log4j running within their environment and I want people to have this because its being blogged. You should definitely take a look at this if you’re affected by this vulnerability.

I don’t remember which article, but some articles may talk about multiple CVE 2021 numbers as part of the problem. Be safe, get the latest if you can, and keep reading so you can make your environments as safe as possible.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.