In the past two weeks, Log4j has continued to drive security news, with more vulnerable platforms being found, and additional CVEs coming out. First up is work done by TrendMicro, looking at electric vehicles and chargers. They found a log4j attack in one of the published charger frameworks, and also managed to observe evidence of vulnerability in the Tesla In-Vehicle Infotainment system. It isn’t a stretch to imagine a piece of malware that could run on both a charger, and an EV. And since those systems talk to each other, they could spread the virus through cars moving from charger to charger.
Log4j is now up to 2.17.1, as there is yet another RCE to fix, CVE-2021-44832. This one is only scored a 6.6 on the CVSS scale, as opposed to the original, which weighed in at a 10. 44832 requires the attacker to first exert control over the Log4j configuration, making exploitation much more difficult. This string of follow-on vulnerabilities demonstrates a well-known pattern, where a high profile vulnerability attracts the attention of researchers, who find other problems in the same code.
There are now reports of Log4j being used in Conti ransomware campaigns. Additionally, a Marai-based worm has been observed. This self-propagating attack seems to be targeting Tomcat servers, among others.
Continue reading “This Week In Security: The Log4j That Won’t Go Away, WebOS, And More”
If you spent your weekend outside and away from the Internet, you might have missed the massive liquidation of HP TouchPads on Amazon, woot.com, WalMart, and the HP online store. Normally a $100 fully featured tablet is nothing to scoff at, but there is a catch: The HP TouchPad runs WebOS. WebOS is a fine operating system for a tablet, but it’s not Android. The folks at HacknMod.com posted a bounty for the first person to port Android to the HP TouchPad.
HacknMod is offering up $450 for a basic Android port and is looking for sponsors for the WiFi, Audio, Camera, and MultiTouch bounties. There’s a lot of discussion about the port on the XDA Developers and the RootsWiki forums if you’d like to get a bearing on how far along the project is. The TouchPad has already been rooted so there’s your starting point.
We’d like to throw our hat into the ring, but we missed out on the TouchPad fire sale. If anyone knows of an online shop where they’re still available, leave a message in the comments.
The new Palm Pre cellphone has a “media sync” feature which lets the device sync with iTunes in a fashion identical to an iPod. Last week [Jon Lech Johansen] speculated that this was not done in cooperation with Apple and that Palm was spoofing the iPod’s USB controller. This was confirmed today when a tipster sent him a screenshot of what the device reports in both standard and media sync modes. The Palm Pre reports its Product ID as iPod and Vendor ID as Apple with a few other changes. [Jon] notes that it doesn’t change the root USB node, so Apple should be able to block this behavior with an iTunes update. With Palm already pulling tricks like this presumably through software we wonder if this will become a full-on arms race.