CS Mar Apr 2022

More documents

Recommendations

Info

Log4shell LOGJAM OF CONCERNS LOG4SHELL IS A CRITICAL VULNERABILITY IN THE LOGGING TOOL LOG4J, USED BY MILLIONS OF COMPUTERS WORLDWIDE. THE FEAR IS THAT, SOME MONTHS ON, THE THREAT IT POSES IS FAR FROM OVER At the tail end of last year, a vulnerability was found in Log4j, an open-source logging library commonly used by apps and services across the internet. Log4shell is a critical vulnerability in the widely used logging tool Log4j, which is used by millions of computers worldwide running online services. A wide range of people, including organisations, governments and individuals are likely to have been affected by it. The problem is that, with time passing, the sense of threat diminishes and with it the urgency to ensure that this vulnerability has been dealt with properly. The crucial factor here is that, although fixes have been issued, they will still need to be implemented and it appears that this has been far from universal. What happens, if no action has been taken yet? "If left unfixed, attackers can break into systems, steal passwords and logins, extract data and infect networks with malicious software, the NCSC points out. "Log4j is used worldwide across software applications and online services, and the vulnerability requires very little expertise to exploit. This makes Log4shell potentially the most severe computer vulnerability in years." USED ACROSS MANY APPLICATIONS Log4j is an open-source Java logging library developed by the Apache Foundation. It is widely used in many applications and is present in many services as a dependency. This includes enterprise applications, including custom applications developed within an organisation, as well as numerous cloud services. The Log4j library is frequently used in enterprise Java software and is included in Apache frameworks, including: Apache Struts2, Apache Solr, Apache Druid, Apache Flink and Apache Swift. Other large projects including Netty, MyBatis and the Spring Framework also make use of the library. In December 2021, a number of vulnerabilities were reported in Log4j: CVE-2021-44228 - referred to as the 'Log4shell' vulnerability, affects Log4j versions 2.0-beta9 to 2.14.1. It allows remote code execution and information disclosure if exploited CVE-2021-45046 - affects versions 2.0- beta9 to 2.15.0, excluding 2.12.2 and was originally reported as a Denial of Service when organisations are running a vulnerable non-standard configuration. Later research found that the same vulnerable configuration allowed a bypass of the mitigations to Log4shell, allowing remote code execution and information disclosure CVE-2021-45105 - affects Log4j versions from 2.0-beta9 to 2.16.0 - A similar denial of service issue to CVE-2021- 45046 when organisations are running a vulnerable non-standard configuration. "An application is impacted by these vulnerabilities, if it consumes untrusted user input and passes this to a vulnerable version of the Log4j logging library," adds the NCSC. "Version 1 of the Log4j library is no longer supported and is affected by multiple security vulnerabilities. Developers should migrate to the latest version of Log4j." WHO IS AFFECTED BY THIS? Almost all software will have some form of ability to log (for development, operational and security purposes), and Log4j is a very common component used for this. "For individuals, Log4j is almost certainly part of the devices and services you use online every day. The best thing you can do to protect yourself is make sure your devices and apps are as up to date as possible and continue to update them regularly, particularly over the next few weeks." For organisations, it may not be immediately clear that your web servers, web applications, network devices and other software and hardware use Log4j, points out the NCSC. This makes it all the more critical 32 computing security Mar/Apr 2022 @CSMagAndAwards www.computingsecurity.co.uk
Log4shell for every organisation to ensure they are not exposed to any potential threats from the logging tool and make all the necessary mitigations to ensure they do not become targeted. MASSIVE SHAKE-UP "The LogJam (or Log4Shell) debacle shook the world to its knees," says Niels Hofmans, head of security at Intigriti. "Open-source software is incorporated everywhere into the software we use on a daily basis. However, we often don't know what software 'materials', such as Log4j, are built into the code libraries and tools we operate-or even develop." The good news is that a new standard, called Software Bill of Materials (SBOMs), will hopefully bring some resolution to this problem, where a 'bill of materials' can be (securely) delivered along with packaged software releases, he adds. "This important bill will improve our supply chain security issues, at least by tenfold, since we will be able to track our software in a uniformed way. At the same time, software developers will be able to understand contents more clearly, identify all (transitive) dependencies, and match everything to any security vulnerabilities later on." At the least, companies should consume threat intelligence feeds (TI feeds) that describe the latest attacks, trends and patches so they stay on top of threats and prioritize accordingly. "And when cyberattacks do happen, a modern Web Application Firewall can stop web attacks from reaching your server; even better, if it allows you to tweak its settings to catch the latest attacks." Configuration hardening is the practice of disabling and tweaking aspects in a system to improve its security, which could have prevented this logging library from being exploited, advises Hofmans. "And, even if it's too late, endpoint detection & response should stop or alert any exploitation attempts and trigger you to go into red alert based on any abnormal system behaviour. Finally, to ensure an infected machine can only go so far, network segregation [akin to the Zero Trust Model] will limit its blast radius to only authorised peers and not the whole network." As the head of security for Intigriti and part-time bug bounty hunter; Hofmans warns that this type of creative attack certainly won't be the last. "However, there are many accessible controls software users can proactively implement now, rather than waiting for the next attack to happen." SERIOUS FLAWS MOUNT UP According to John Graham-Cumming, CTO at Cloudflare, Log4Shell is the third serious flaw that has affected a wide range of Internet services: Heartbleed in 2012, ShellShock in 2014 and now Log4Shell in 2021. "The Log4Shell vulnerability allows an attacker to execute code on a remote server, a so-called Remote Code Execution (RCE). The vulnerability was particularly serious, because of the widespread use of Java and Log4j. Importantly, even non- Internet facing software that uses Java could have been exploitable as data gets passed from system to system. "When vulnerabilities like this are disclosed, it's important for companies to do two things: make sure their firewall is configured to block the attacks - and talk to their firewall vendor to see if they've rolled out a specific blocking rule - and patch the vulnerability as soon as possible." Other best practices he recommends include filtering and logging DNS queries to block queries made to known malicious destinations, securing network traffic leaving your infrastructure with an updated, and inspecting and filtering HTTP traffic, which can block attacker attempts to reach their destinations. Niels Hofmans, Intigriti: the good news is that a new standard, called Software Bill of Materials (SBOMs), will hopefully bring some resolution to this problem. DANGER ON THE HORIZON While Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Center), recognises how Log4Shell would have impacted businesses on many levels, he emphasises most of all how any attack targeting Horizon could represent a disruptive threat to operations for those who are running VMware Horizon as part of a remote work programme. "As background, many VMware products include Apache log4j2 as their logging mechanism," he states, "and, as the evolution of the log4j2 patches occurred, VMware was proactive in their patch and mitigation efforts." Patch and mitigation information has been available for Horizon since December. "From a risk management perspective, focusing attention on VMware Horizon, or any other individual product that uses log4j2, misses the real business risk associated with Log4Shell. If your patch management process missed Log4Shell or you had to manually scan each system to identify log4j2 www.computingsecurity.co.uk @CSMagAndAwards Mar/Apr 2022 computing security 33
Page 1: Computing Security Secure systems,
Page 4: Secure systems, secure data, secure
Page 7 and 8: Strengthen your data resilience wit
Page 10 and 11: ehavioural insights INFORMATION SEC
Page 12 and 13: MSP insights THE MSP ATTACK TARGET
Page 14 and 15: metaverse VIRTUAL WORLD, REAL DANGE
Page 16 and 17: compliance GETTING TO THE HEART OF
Page 18 and 19: cloud THE CLOUD CONUNDRUM CLOUD, IN
Page 20 and 21: cloud Raghu Nandakumara, Illumio: a
Page 22 and 23: tech scrap I.T. EQUIPMENT JUNKED PR
Page 24 and 25: NHS breaches NHS BREACHES - JUST A
Page 26 and 27: NHS breaches Felix_Rosbach, comfort
Page 28 and 29: ansomware RANSOMWARE NOW A GLOBAL M
Page 30 and 31: ansomware Daniel Hofmann, Hornetsec
Page 34 and 35: Log4shell Jude McCorry, SBRC: all o
Page 36: PLAY IT SAFE WITH 365 TOTAL PROTECT

CS Mar Apr 2022

Create successful ePaper yourself

Delete template?

Save as template?