Much of the press has focused on the impact of the Log4j vulnerability on services hosted across the internet. The damage there cannot be ignored, and it has been touted as one of the worst vulnerabilities to have hit the industry in over 10 years.
Large corporations that run many of these internet-hosted services have plenty of resources. This means patches to fix these vulnerabilities are on their way and will be completed in due time.
However, the impact of such a vulnerability is very much understated in the grand scheme of things; billions of devices run Java applications (including the devices that we use at home). If any one of them were to have a dependency on a vulnerable version of Log4j, it would only be a matter of time before an attacker finds a vector to exploit the vulnerability on the device.
It is likely that many such applications installed on our systems are no longer maintained, and even if there were a fix, users are not likely to automatically patch to a safe version. Additionally, many users have no knowledge that such a vulnerability even exists on their installed applications. Their devices may be left vulnerable for a long time.
Reproducing the exploit
The much publicized vulnerability in Minecraft, which allowed attackers to run malicious code on your device simply by pasting the payload into the Minecraft chat, triggered an investigation here at ExpressVPN into what we could do to better protect consumers.
We reproduced the exploit in our lab setup (shown in the video above) and confirmed that this was indeed an issue on vulnerable versions of the Minecraft client. A callback was made to the attacker’s server on the LDAP port and a malicious payload was executed on the user’s machine. What concerned us was that an attacker can remotely control your computer if you happen to be running an application vulnerable to Log4Shell.
We dug a bit deeper and found other user applications that are affected by the Log4j vulnerability, and those included the Arduino IDE used by hardware enthusiasts to program their microcontrollers, the open-source testing tool OWASP ZAP, and even the open-source reverse engineering tool Ghidra. We foresee more vendors announcing similar vulnerabilities in the coming weeks and even months, meaning many other applications will remain unpatched until then.
We predict a long tail of threat actors trying to exploit client applications prone to Log4Shell on user devices, as many individuals will continue to have vulnerable applications installed. In view of this, on December 14, 2021, we at ExpressVPN made a swift, resolute decision to block outbound LDAP traffic based on port numbers, and rolled the block out to all our consumers. This acts as a protective layer to prevent pulling in the more harmful second-stage payloads that allow an attacker to run arbitrary commands on your computer.
ExpressVPN’s mitigation technique
A protective layer as a first line of defense
A new layer of protection was implemented at 09:30 GMT, December 14, 2021, and is live across all ExpressVPN VPN servers worldwide. This means that everyone using ExpressVPN on their devices or router enjoys protection from the Apache Log4j vulnerability. This mitigation is server-side, so no action from users is required. More details are available here.
With the protection in place, attacks can be mitigated since the LDAP outbound traffic is blocked for default payloads. We can see the defense in play below, and the exploitation was successfully prevented with no sign of any callbacks to the attacker’s server when connected to ExpressVPN.
Are ExpressVPN apps affected?
None of the ExpressVPN client applications include Log4j as a dependency. No action from ExpressVPN users is needed at this time.
What can I do to protect myself?
Review your apps
As a priority, review the applications installed on your own device and remove any applications that are no longer in use. Next, for applications on your device, take time to review the versions installed and be sure to update them as new versions become available. If the version installed is an unofficial release, consider removing the application to reduce potential risk.
We also recommend deploying the following firewall rules as a baseline defense which will prevent exploitation if the attacker uses default ports in their payload.
- Blocking outbound TCP/UDP on LDAP ports (389, 1389, 3268, 3269)
- Blocking outbound TCP/UDP on RMI ports (1099)
Users connected to ExpressVPN get the above baseline protections without needing to take any further action.
Check the defenses
Users that employ the defenses above (or are connected to ExpressVPN) can check that the defense is working by setting up a Rust environment and installing a simple Rust application, which queries a cloud-hosted checker and ensures that the outbound ports listed above are blocked:
cargo install log4j-portscan
You can see the differences with the VPN on and off below. Users that deploy their own rules can use the tool below to perform the checks as well.
Awareness and understanding of the widespread impact of the vulnerability on client applications installed on user devices to Log4Shell is key to shortening the long tail of this vulnerability. We encourage all users to keep a lookout for updates and apply vendor patches diligently.
We further invite the larger security community to dig deeper into this and present vulnerabilities found on these applications to the respective responsible disclosure programs that the software vendors run.
Take the first step to protect yourself online
30-day money-back guarantee