Security Issue? Log4j

[HappyDude]

The IT world is kind of on fire today with a security vulnerability in a common software library.

‘The Internet Is on Fire’

A vulnerability in the Log4j logging framework has security teams scrambling to put in a fix.

www.wired.com

The reason I'm posting here is because Tesla might be impacted. Scroll down to Tesla to see a photo

GitHub - YfryTchsGD/Log4jAttackSurface

Contribute to YfryTchsGD/Log4jAttackSurface development by creating an account on GitHub.

github.com

 

[misdemeanor]

I have some people asking me "How can we protect ourselves?" I dont know what the attack vector is - possibly connecting to a malicious SSID?

We've got several IT platforms affected by this at our MSP

 

[tengtengvn]

Man, I've been working all days on this. Saw Russian IPs in the logs. Fun.

 

[ucmndd]

If I’m interpreting that pic right, basically it’s a self-own / rooting opportunity? Changing the car name to the JNDI string causes said string to be logged by log4j… voila.

 

[Britboy007]

 

[Britboy007]

Yep, if it would be logged then it could be used, even headers...

 

[CapinWinky]

Tesla already mitigated this, but one of the ways it could be triggered was that Tesla logs the name of the phone the car is connected to, so you could have renamed your phone to the JNDI string. Also worked with the car's name and probably also with profile names and key names. The thing is, you had to have access to the unlocked car to do any of this stuff, and then the thing you are hacking is not the car, but Tesla's server.

If damage was done, it was already done and someone has a lot of data about our cars at least from reading the log files.

Where this bug is going to be massive is in mid-sized credit unions with local yocal IT support. They will stay vulnerable for months and have improper sandboxing so attackers can find ways into actual banking data.