Log4j Hotpatch Bug Leads to Privilege Escalation in Amazon Linux Distro

Amazon Linux team has released an advisory regarding a race condition bug that could lead to a local privilege escalation affecting the versions of the Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3-5.

A researcher named "Justin" has found a way to bypass the Hotpatch fixes that leads to local privilege escalation to root due to the Race condition bug.

"The exploitation of the bypass can be demonstrated to achieve local privilege escalation on Amazon Linux machines running version 1.1-16 of the log4j-cve-2021-44228-hotpatch package."- Justin wrote

Amazon Linux 2 is a Linux operating system from Amazon Web Services (AWS). It provides a security-focused, stable, and high-performance execution environment to develop and run cloud applications.

At the time of writing, there was no CVE issued for the issue but the fix has been released by the Amazon team (check mitigation below).    

When All Things Start

In December 2021, critical vulnerabilities in the Java log4j package were publicly disclosed, which affected Apache Log4j2, a Java-based logging tool. There are multiple vulnerabilities that have been disclosed (which you can read here) but the most impactful of these was CVE-2021-44228, also known as log4shell.

To fix the above flaws, Amazon announced the release of "Hotpatch for Apache Log4j". This is a utility that is packaged in several ways. It essentially monitors a host and/or containers for Java processes so that hotpatches can be applied to mitigate the various log4j vulnerabilities. Amazon Linux announced the hotpatch packaged in the form of an Amazon Linux package called log4j-cve-2021-44228-hotpatch. 

In April 2022, Yuval Avrahami on behalf of Palo Alto Networks Unit 42 researchers reported that the following packagings of the hotpatch were vulnerable to various impacts including local privilege escalation and container breakout:

• Version <1.1-16 of the log4j-cve-2021-44228-hotpatch package, which bundles the hot patch service.
• Version <1.1-16 of the kubernetes-log4j-cve-2021-44228-node-agent Daemonset, which installs the updated package.
• Version <1.02 of Hotdog, a hot patch solution for Bottlerocket hosts based on Open Container Initiative (OCI) hooks.

Amazon issued updates to the above packaging of the hotpatch.

The Bypass of Hotpatch

The bypass of the Hotpatch found by Justin is due to the fact that the path to the "Java" process' binary is read before its EUID/EGID is extracted. This means that the patching process might take the path to the attacker-controlled binary and then read a higher privilege EUID/EGID in the event of a successful attack.

Justin noted—

The exploitation of this issue requires an attacker to already have low-privilege access to a machine running Amazon Linux with the hotpatch service installed and running. It allows them to escalate privileges from any user to root. It does not allow a remote attacker to gain any kind of initial access. It is nowhere near as significant as the bug in log4j that the hotpatch is hotpatching, however, the presence of the hotpatch service creates a local attack surface on all Amazon Linux hosts running it.

The issues may also be present in other packagings of the hotpatch such as the k8s daemonset, Hotdog, and in the cgroup controls introduced to prevent container breakouts. 

Some brief testing and analysis of the application of cgroup controls indicate that there probably isn't an exploitable race condition window in the containerisation security control application process, but this would be an interesting opportunity for further work - he further added.

Amazon issue Mitigation.

The Amazon Linux team published log4j-cve-2021-44228-hotpatch-1.3-5 which incorporates the recommended fix. It also applies defensive controls to the container-based hotpatch strategy to try to prevent unproven race condition bugs in the application of namespace controls. Users of Amazon Linux should update to log4j-cve-2021-44228-hotpatch-1.3-5.