Blumira research team has discovered an alternative attack vector in the Log4j vulnerability that relies on a basic Javascript WebSocket connection to trigger the RCE locally via drive-by compromise.

Previously, one of the assumptions was that the impact of Log4j was limited to exposed vulnerable servers. This newly-discovered attack vector means that anyone with a vulnerable Log4j version can be exploited through the path of a listening server on their machine or local network through browsing to a website and triggering the vulnerability. WebSocket connections within the host can be difficult to gain deep visibility into, which increases the complexity of detection for this attack. At this point, there is no proof of active exploitation.

Jake Williams, Co-Founder and CTO at BreachQuest, a Georgia-based leader in incident response, explains, “WebSockets have previously been used for port scanning internal systems, but this represents one of the first remote code execution exploits being relayed by WebSockets. This shouldn’t change anyone’s position on vulnerability management though. Organizations should be pushing to patch quickly and mitigate by preventing outbound connections from potentially vulnerable services where patching is not an option.”

The Log4j vulnerability, dubbed Log4Shell, already provides a relatively easy exploit path for threat actors, whereas it doesn’t require authentication to take full control of web servers. Using this vulnerability, attackers can call external Java libraries via ${jdni:ldap:// and ${jndi:ldaps:// and drop shells to deploy the RCE attack without additional effort. This new attack vector expands the attack surface for Log4j even further and can impact services even running as localhost, which were not exposed to any network.

“When the Log4j vulnerability was released, it became quickly apparent that it had the potential to become a larger problem. This attack vector opens up a variety of potential malicious use cases, from malvertisting to creating watering holes for drive-by attacks,” said Matthew Warner, CTO and Co-Founder of Blumira. “Bringing this information to light ensures that organizations have the opportunity to act quickly and protect themselves against malicious threat actors.” 

Researchers disclosed this information to CERT following standard procedures outlined in its vulnerability disclosure policy.

Commenting on the news, John Bambenek, Principal Threat Hunter at Netenrich, a California-based digital IT and security operations company, says, “While significant, attackers will likely favor the remote exploit versus the local one. That being said, this news does mean that relying on WAF, or other network defenses, is no longer an effective mitigation. Patching remains the single most important step an organization can take.”