Security researchers are continuing to investigate the new Log4Shell vulnerability that we discussed yesterday. Recall that it allows attackers to remotely execute code on vulnerable servers and inject malware that can completely compromise devices. The researchers found the vulnerability could be exploited on a variety of devices, including iPhones and Tesla electric vehicles.
As the screenshots show, by changing the name of an iPhone or Tesla device to a special exploit character string, it is possible to call a recall from Apple or Tesla servers. This indicates that the server is vulnerable to Log4Shell. After changing the device name, inbound traffic showed URL requests from IP addresses owned by Apple and China Unicom (Tesla’s Chinese mobile service partner). The researchers were able to trick Apple and Tesla’s servers into going to the URL they provided.
The Log4Shell vulnerability is dangerous in that it is relatively easy to exploit. It forces the application to interpret a piece of text as a link to a remote resource and try to access that resource. Although the system should only save the received text as a line in the application logs, and not follow the links. This makes many systems potentially vulnerable to accepting user input. For example, these can be the systems of SMS providers.
In theory, an attacker could place malicious code at the target URL in order to infect vulnerable servers. However, a well-maintained network can prevent such an attack at the network layer. Thus, more broadly, there is no indication that this method could significantly compromise Apple or Tesla systems. None of the companies responded to requests from The Verge to comment on this information.
It is not yet known whether the attackers actually managed to compromise any systems using the Log4Shell vulnerability. However, the Cado platform has reported that servers have already been found trying to use this method to install the Mirai botnet code.
An update to the log4j-2.15.0-rc2 library has already been released to fix the Log4Shell vulnerability.
A source: The Verge
