AWS patches to fix Log4j vulnerabilities could be exploited for privilege escalation or container escape attacks

Cybersecurity specialists from Palo Alto Networks mention that patches released by Amazon Web Services (AWS) to address vulnerabilities in Log4j could be evaded to escalate privileges on the system or evade containers. Identified by the end of 2021, Log4Shell flaws would allow threat actors to execute remote code and take control of affected deployments.

To prevent Log4Shell exploitation, AWS security teams released several hot patches, each suitable for a different environment, including servers, Kubernetes, Elastic Container Service (ECS), and Fargate. The first patch was included in an RPM or Debian package, an active patch daemonset for Kubernetes clusters and another included as a set of OCI hooks and intended for Bottlerocket hosts.

However, experts at Palo Alto Networks found that, after the hot patch was installed, any container on the server or cluster could exploit it to take control of the underlying host. In addition, any non-privilege process could exploit active patches to escalate privileges and execute code as root user.

According to the report: “After installing any of the patches, new containers can exploit the patch to escape and compromise its underlying host; on hosts that installed the Hot Patch service or the Hot Patch Daemonset, existing containers can also escape.”

To address JavaScript processes on the fly, solutions invoke certain binary containers; without the proper containerization process, the limitations that typically apply to container processes would not also apply to new processes.

A malicious container could have included a binary called ‘java’ to trick the installed solution, leading to invocation with elevated privileges. The malicious ‘java’ process could abuse its elevated privileges to escape the container and seize the underlying host.

In other words, these fixes treat unprivileged processes similarly, meaning that a malicious process without privileges could create a binary called “java” and abuse the hot patch service to elevate its privileges: “These bugs can be exploited regardless of container configuration, so even environments that allow isolation techniques are affected,” adds the report.

AWS has already fixed the issues with these patches, so customers are invited to install the fixes as soon as possible to mitigate the risk of exploitation.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.