The list of services with Internet-facing infrastructure that is vulnerable to a critical zero-day vulnerability in the open source Log4j logging utility is immense and reads like a who’s who of the biggest names on the Internet, including Apple, Amazon, Cloudflare, Steam, Tesla, Twitter, and Baidu.
The vulnerability, now going by the name Log4Shell, came to light on Thursday afternoon, when several Minecraft services and news sites warned of actively circulating attack code that exploited the vulnerability to execute malicious code on servers and clients running the world’s bestselling game. Soon, it became clear that Minecraft was only one of likely thousands of big-name services that can be felled by similar attacks.
A compilation of screenshots posted online documents how some of the world’s most popular and trusted cloud-based services react when they are fed parameters used in the attack. To wit:
The images use a domain name system leak detection service called dnslog.cn to see if the target cloud service is performing a DNS lookup. Each images shows that service is accepting connections from an attacker-controlled machine (as evidenced by the IP connection log).
“Normally, typing something into a username box should never be making any external network connections, so the fact that it does proves that Log4j is being used here and therefore that the server may be vulnerable to the remote code execution attack,” Ars reader skizzerz explained in the comments below.
While the images show the services responding in unintended and potentially dangerous ways to the user input, the services aren’t automatically vulnerable to the types of code-execution attacks that compromised Minecraft servers. That’s because these services typically have multiple layers of defense. If one layer fails, additional layers are often available to lessen or completely eliminate any real damage.
Then again, the images demonstrate that unauthorized people can exploit Log4Shell to access the servers of the some of the world’s most powerful corporations in ways they never intended. Asked about the access to Apple servers, Malwarebytes director of Mac offerings Thomas Reed said: “This is far worse than if individual devices were vulnerable, and I think it’s an open question at this point exactly what kind of data attackers are probably pulling from Apple’s services as we speak.” Apple representatives didn’t respond to an email seeking comment.
Cloudflare, meanwhile, said in a post that it has taken steps to block attacks on its network and against its customers. Cloudflare Chief Security Officer Joe Sullivan said his team has been unable to reproduce the behavior depicted in the image and doesn’t recognize the IP addresses shown.
Minecraft on Friday rolled out a fix.
The takeaway is that it’s too early now to say these services aren’t vulnerable. For the time being, people should remain wary and await guidance from affected providers.
Listing image by Jeffrey Coolidge / Getty Images