1

Considering how log4shell seems trivial to exploit and the important control level it gives to an attacker, should we wipe everything affected and start over?

For example, we find out that a publicly accessible server in production has log4j 2.0-beta9 <= Apache log4j <= 2.15.0 used by a service on that server.

Assumption: We don't know if, between the vulnerability disclosure and the moment when the fix has been applied, an external attacker could have compromised the server and hid some malicious piece of code on it.

Considered recovery steps:

  1. From a trusted computer not affected by log4shell and clean of any other kind of malwares, download a Ubuntu desktop live media image and the server OS installation media as well.

  2. Boot the affected server from the Ubuntu desktop live media image.

  3. Backup important data on an external hard drive from the Ubuntu live media.

  4. dd if=/dev/zero of=[Server OS drive] bs=4M count=1024 Note : Only wiping the boot sectors should be enough instead of the whole disk ?

  5. Reboot, then boot from the server OS installation media.

  6. Reinstall the OS and applications with updated log4j, then restore data.

To get at least an easy 96%+ we are safe from any bad surprises resulting of log4j exploitation, should we do the steps above on any affected servers or this is overkill plus a huge waste of time ?

hft
  • 4,910
  • 17
  • 32
pmbonneau
  • 161
  • 2
  • 2
  • 10

1 Answers1

4

... or is this overkill plus a huge waste of time

The fully depends on how well you know your own infrastructure, how good your monitoring is for attack detection and what proactive mitigations you had in place which might have stopped the attack or limited the impact (like lateral movement, privilege escalation). For example restrictive outbound access could have stopped the downloading of the attack payload from an outside server, which was needed to actually exploit the issue.

If you were basically blind and had no mitigations in place then this might not be overkill. It might even be too little since the attacker might have used the the exploit not only to compromise this specific system but use the gained access to the internal network to compromise even more services and systems which are not directly accessible from the outside.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424