Updates for Log4J and December Patch Tuesday

Log4Shell Update

Earlier this week (December 13, 2021) we shared some information regarding a major vulnerability that has affected hundreds of thousands of open source and commercial products across the world (https://www.connectwise.com/resources/major-vulnerability-in-the-most-common-java-logging-module), CVE-2021-44228, also known as Log4Shell. This is a remote code execution (RCE) vulnerability in the Java module Log4j. Over the weekend, we saw security researchers and threat actors alike scanning the internet en masse, with payloads from security researchers being simple checks to see if a system is vulnerable and most threat actors attempting to deploy coin miners. Since then, there has been a new Ransomware strain observed originally reported on by ConnectWise partner Bitdefender named Khonsari (https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild). We have also seen threat actors deploy reverse shells and perform hands-on-keyboard activity such as scoping the size of a network, possibly as a precursor to deploying ransomware. Overall, as expected, the attacks are becoming more varied and advanced.

Apache first released a patch for CVE-2021-44228 on December 6, when the vulnerability was first publicly disclosed with the release of Log4j 2.15.0 (https://logging.apache.org/log4j/2.x/security.html). Yesterday, December 14, Apache released Log4j 2.12.2 and Log4j 2.16.0 when a new advisory disclosed that the previous patch was not sufficient in all situations. Apache also disclosed a new vulnerability in previous versions of Log4J, CVE-2021-44228 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046). An attacker can once again use the Java Naming and Directory Interface™ (JNDI) in this new vulnerability, but unlike Log4Shell CVE-2021-44228 can result in a Denial of Service (DoS) rather than RCE. The latest version of Log4j completely removes support for JNDI. We strongly recommend upgrading to the latest version of Log4j where possible. Keep in mind that this is a framework that hundreds of thousands of open source and commercial products use, over 470,000 listed on Github (https://github.com/apache/log4j/network/dependents), and any of these products may be vulnerable. We strongly recommend you perform a complete software audit and check with your vendors to see if they are affected and if they have a patch available.

December Patch Tuesday

Yesterday was Patch Tuesday, the second Tuesday of each month when Microsoft, Adobe, and some other software vendors push out regular security updates. This month, Microsoft released patches for 83 vulnerabilities; 7 of these are critical, 6 were previously disclosed, and 1 is actively being exploited. SANS released their usual handy chart that lists all the crucial details at https://isc.sans.edu/diary/rss/28132. The Critical vulnerabilities disclosed this month are listed below:

CVE

CVE Title

Impact

Severity

CVE-2021-42310

Microsoft Defender for IoT Remote Code Execution Vulnerability

Remote Code Execution

Critical

CVE-2021-43215

iSNS Server Memory Corruption Vulnerability Can Lead to Remote Code Execution

Remote Code Execution

Critical

CVE-2021-43217

Windows Encrypting File System (EFS) Remote Code Execution Vulnerability

Remote Code Execution

Critical

CVE-2021-43233

Remote Desktop Client Remote Code Execution Vulnerability

Remote Code Execution

Critical

CVE-2021-43899

Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability

Remote Code Execution

Critical

CVE-2021-43905

Microsoft Office app Remote Code Execution Vulnerability

Remote Code Execution

Critical

CVE-2021-43907

Visual Studio Code WSL Extension Remote Code Execution Vulnerability

Remote Code Execution

Critical

One Important vulnerability is also particularly worth highlighting, CVE-2021-43890, is a 0-day vulnerability with a CVSS score of 7.1 and is actively being exploited. This CVE covers a Windows AppX Installer Spoofing vulnerability. This vulnerability allows a malicious actor to create a malicious attachment that looks like a legitimate application. This vulnerability has been observed being used by Emotet, which is back after a 10-month hiatus (https://www.connectwise.com/resources/emotet-is-back).

The CRU is going through the entire list of vulnerabilities released and working on new detection content. Stay tuned for more updates here and via our Twitter feed at https://twitter.com/ConnectWiseCRU.

References

https://www.connectwise.com/resources/major-vulnerability-in-the-most-common-java-logging-module

https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild

https://logging.apache.org/log4j/2.x/security.html

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321

https://isc.sans.edu/diary/rss/28132