Dusseldorf Many IT departments have to work extra shifts this weekend: A serious security gap endangers millions of online applications and apps worldwide. Affected are, for example, according to media reports, the Apple storage service iCloud and the online game “Minecraft”, the game platform Steam and a system from the electric car manufacturer Tesla, but also company applications.
The Federal Office for Information Security (BSI) rates the risk from the security gap on the so-called CVSS scale with 10, the highest possible value. The authority therefore increased the IT threat level to the highest red warning level on Saturday evening and warned IT organizations: The ability to react should be “increased appropriately at short notice”.
Some players in the IT security industry use even more drastic words. It is the “worst security hole in the past decade,” said the head of the IT security company Tenable, Amit Yoran. “The Internet is on fire,” said Adam Meyers, a high-ranking manager at Crowdstrike.
Also read on the topic:
Top jobs of the day
Find the best jobs now and
be notified by email.
The effects are likely to be felt for weeks or months, possibly for years. “It will take some time to understand the extent of the problem and to fix it,” predicted Thorsten Holz, professor at the Helmholtz Center for Information Security (CISPA) in Saarbrücken, to the Handelsblatt.
The vulnerability affects the Java programming language, which is used in numerous web applications and apps. Specifically, it is about a module called Log4j for logging activities, for example on servers – experts speak of a library. Programmers can integrate these into their software with little effort.
Due to the security gap, attackers can execute their own code on servers that use the affected software – and thus completely take over the system. “It is relatively easy to use,” says IT security researcher Holz. A program that demonstrates the attack path is available online, and hackers can adapt it for their own purposes with little effort.
“Worldwide mass scans”
Many criminals and spies apparently want to take advantage of the opportunity: The BSI reports on “global mass scans” which apparently serve to identify possible attacks. In addition, there are first reports of “successful compromises”, explains the authority. The security gap has only been known in specialist circles since Thursday and has therefore been relatively briefly known.
So far, the BSI has observed that criminals are misusing the security gap to run software for the extraction of crypto currencies, so-called crypto miners, on the servers. There are also “initial indications” that compromised systems are being added to botnets that, for example, enable the sending of spam.
It won’t stop there. There is a high probability that “the attacker activities will increase significantly in the next few days,” warns the BSI. Especially since numerous applications are affected. The authority refers to a list on the programming platform Github, which enumerates possibly affected products, including those from Microsoft and Cisco, Salesforce and Software AG.
The analysis is ongoing in the IT company. SAP is “working hard” to understand and remedy the effects of the weaknesses. “We are currently taking suitable measures to protect our customers worldwide and, depending on the situation, provide regular updates.” The Dax Group did not provide details on request, such as whether there are updates for all products.
Software AG stated that it immediately initiated the security procedures to remedy the vulnerability and informed the customer. “This event showed that our security processes are working and effective.” The second largest German software manufacturer also did not make any details about affected products and available updates public.
Products need to be modified
It is not surprising. There is a security update for the Java library Log4j. However, the products that use them must also be modified. “The library is widespread and is integrated into various types of applications and projects – so you first have to understand how large the attack surface is,” says security researcher Holz.
The situation is even more difficult in small open source projects that have to check whether they are using the finished component. Closing the security gap becomes difficult, especially when Log4j is embedded in other products. It is already known that the library is used in various systems for operating websites.
The verification time can be significant. “The big companies have the necessary manpower, but not necessarily the small ones,” says Holz. The situation is even more difficult in small open source projects that have to check whether they are using the finished component. Therefore, further products that are at risk are likely to become known in the next few days and weeks.
The incident shows once again a major problem in the IT industry: It is common among developers to use certain standard components from open source projects. However, these are often looked after by small teams, often free of charge, which encourages mistakes.
A few years ago it became known that the popular encryption software OpenSSL had a serious security gap – the core team consisted of only four developers. Meanwhile, a number of IT companies are supporting the project financially.
More: Security vulnerability puts computers at risk all over the world