Shedding light on alternative exploit strategies for the chaotic Log4j vulnerability, researchers have devised a new attack vector exploiting WebSocket. Users must update their systems to the latest Log4j version 2.17.0 to avoid potential threats.
Log4j Attack Vector Exploits WebSocket
Security researchers from Blumira have elaborated how WebSocket connections exploits can serve as a Log4j attack vector.
According to their blog post, this attack strategy can prove viable against internal systems not exposed to the internet. All it takes is to have a vulnerable Log4j version running on the device or the network. Browsing a website would then allow triggering the Log4Shell vulnerability via WebSocket connections.
Describing how the process works, the researchers stated,
This attack makes malicious requests to potentially vulnerable localhost or local network servers that were not exposed to the internet itself via WebSocket.
The researchers have also shared a PoC video in their post while explaining the attack step-by-step. Their PoC included Log4j 2.13.0, JNDI Exploit Kit (from here), Java (JRE8) application with SpringFramework, and targeted the 2019 Server with Google Chrome (Version 96.0.4664.110) as the victim.
Recommended Mitigations
Mainly, the researchers urge all users to update their systems to the latest Log4j version 2.17.0. This is the third major Log4j update from Apache that likely includes the complete Log4Shell patch.
However, the researchers have suggested other mitigation strategies where updates are not possible. These include implementing egress filtering to limit callbacks and ensuring functional threat detection strategies, among others.
Besides, they also suggest using NoScript and similar tools to block JavaScript on untrusted websites as a temporary workaround. However, since this may affect the browsing experience, updating the Log4j version remains the only viable option for now.
Let us know your thoughts in the comments.