Addressing Log4j Vulnerability with Cymulate

 

Published on December 10th by NIST, the Apache Log4Shell or LogJam, AKA CVE-2021-44228, is a highly critical new vulnerability, ranked the most severe current security risk, as it affects a large number of services due to the popularity of Log4j.

 

Log4J is a widely used Java-based logging library. Log4Shell is able to create a Remote Code Execution (RCE) by tricking a component of Java applications in web servers into executing commands without the authorization of the administrator and without a valid login to the targeted device/service/site.  

 

As Log4Shell has a high potential for escalation and is actively being exploited, it is critical to rapidly check the exposure of your environment, including the entire potential attack path.

 

Cymulate provides four critical methodologies to determine if your organization is at risk and to determine if your security controls have the ability to deflect attempted Log4Jam/Log4Shell attacks. This in-depth detection is achieved with a combination of four distinct modules included in the Cymulate Extended Security Posture Management Platform:

 

 

Attack Surface Management (ASM):

The Cymulate ASM module simulates the attacker reconnaissance phase. It has already been updated to include the capability to scan for systems/devices vulnerable to this exploit. It uses a branching methodology to discover visible and available systems that can be attacked by the outside world. Discovering these devices allows your security team to locate systems running vulnerable applications and code, even if they are not included in formal inventories, i.e., “Shadow IT” systems running within the organization’s environments. This results in a comprehensive discovery of systems that need to be patched/updated and/or further isolated from the outside world until such patching/updating is possible.

 

Web App Firewall Security Controls (WAF):

Cymulate WAF efficacy testing has been updated to include the ability to safely attempt to perform a Log4Jam/Log4Shell attack without putting systems at risk. By completing a production-safe Log4Shell attack, WAF defenses can be tested to ensure that they recognize the exploits attempted by this vulnerability and adequately stop the traffic from being delivered to the impacted applications and systems. This option is the fastest way to prevent exploits and provide ample time for patching under standard change control windows. 

 

Advanced Purple Team Scenarios:

Cymulate can assist with testing for Log4j as it can be part of many systems that are not directly Internet-facing. For example, a known vulnerability in VMWare vCenter can be exploited with a Log4j attack methodology, but many vCenter systems are not accessible from the outside world. Utilizing Cymulate purple-team security validation technology, targeted attack scenarios can be created and customized to determine if Log4j vulnerabilities are exploitable on these internal systems, further strengthening defenses to remove the potential for attack if a threat actor were to gain an internal foothold. 

 

Finally, Immediate Threats Intelligence (ITI):

Cymulate ITI has a detection simulation of the first attack discovered that uses Log4Jam/Log4Shell that you can run safely within your environment. This allows you to test anti-malware and network-level download traffic scanners to ensure they recognize the attack binaries. Through its integrations, it also queries Vulnerability Management tools to highlight any devices internally that your Vulnerability Management Platform (such as Tenable, Qualys, or others) has identified.

 

These four testing methodologies can allow your teams to get a handle on this vulnerability, identify where vulnerable software exists within the organization that is public-facing (purposely or accidentally), and test systems that are not internet-facing but use (or may use) the impacted Log4j plugins, and ensure that security controls recognize and adequately handle attack traffic which is being aimed at your organization.